K
Q

Cannot list resource "configmaps" in API group when deploying Weaviate k8s setup on GCP

10/22/2019

When running (on GCP):

$ helm upgrade \
  --values ./values.yaml \
  --install \
  --namespace "weaviate" \
  "weaviate" \
  weaviate.tgz

It returns;

UPGRADE FAILED
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "configmaps" in API group "" in the namespace "ku
be-system"
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "configmaps" in API group "" in t
he namespace "kube-system"

UPDATE: based on solution

$ vim rbac-config.yaml

Add to the file:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Run:

$ kubectl create -f rbac-config.yaml
$ helm init --service-account tiller --upgrade

Note: based on Helm v2.

-- Bob van Luijt
google-cloud-platform
kubernetes
kubernetes-helm
weaviate

Similar Questions

have a local domain rgpd.local for my local app with Kubernetes / Traefik
kubectl apply -f <file_name> where does it apply to?
How to use "kubectl -l/--selector" to scale a specific pod in a deployment in Kubernetes
What are the best practives for a health check API and probes in micro-services Kubernetes environment?

1 Answer

10/22/2019

tl;dr: Setup Helm with the appropriate authorization settings for your cluster, see https://v2.helm.sh/docs/using_helm/#role-based-access-control

Long Answer

Your experience is not specific to the Weaviate Helm chart, rather it looks like Helm is not setup according to the cluster authorization settings. Other Helm commands should fail with the same or a similar error.

The following error

Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list resource "configmaps" in API group "" in the namespace "ku
be-system"

means that the default service account in the kube-system namespace is lacking permissions. I assume you have installed Helm/Tiller in the kube-system namespace as this is the default if no other arguments are specified on helm init. Since you haven't created a specific Service Account for Tiller to use it defaults to the default service account.

Since you are mentioning that you are running on GCP, I assume this means you are using GKE. GKE by default has RBAC Authorization enabled. In an RBAC setting no one has any rights by default, all rights need to be explicitly granted.

The helm docs list several options on how to make Helm/Tiller work in an RBAC-enabled setting. If the cluster has the sole purpose of running Weaviate you can choose the simplest option: Service Account with cluster-admin role. The process described there essentially creates a dedicated service account for Tiller, and adds the required ClusterRoleBinding to the existing cluster-admin ClusterRole. Note that this effectively makes Helm/Tiller an admin of the entire cluster.

If you are running a multi-tenant cluster and/or want to limit Tillers permissions to a specific namespace, you need to choose one of the alternatives.

-- etiennedi
Source: StackOverflow