For example, I change role verbs
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: provisioning-role
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch"]and run a Helm upgrade. Should the pods bound to those roles be restarted/replaced? (Those pods may be created manually without Helm.)
It depends on the ServiceAccount that your pod is using.
Let's say you are using the default ServiceAccount for your deployed pods. Then to give your pod additional access to resources, verbs, etc. you must bind the ClusterRole to that ServiceAccount through a ClusterRoleBinding.
If you have a ServiceAccount that is not currently binded to your pod, then you must do the ClusterRoleBinding and then load the ServiceAccount to the pod via the designed field spec.serviceAccountName. Note that you cannot update the ServiceAccount of an already created pod. You must restart it in this case.
Here is more detailed information: enter link description here
No need to recreate the pods. When you create a Role/RoleBinding or ClusterRole/ClusterRoleBinding, the entities automatically get these permissions right away.
One prove used to be Helm itself. When you fresh install Helm, you get this error from Tiller saying has no access to the cluster to do anything, but then you give Tiller cluster-role (or any other with more caution) permissions and it starts working right away.