Mastodon Mastodon - Helm in a kops cluster with RBAC
logo
  • Home 
  • Tags 
  • Blog posts 
  1. Home
  2. Blog posts
  3. Helm in a kops cluster with RBAC

Helm in a kops cluster with RBAC

Posted on May 25, 2018  (Last modified on July 11, 2024) • 1 min read • 184 words
Helm   Kubernetes   Rbac  
Helm   Kubernetes   Rbac  
Share via

On this page
    • Causes
    • Fixes

I created a K8S cluster on AWS with kops.

I ran helm init to install tiller in the cluster.

I ran helm list  to see if it worked.

I got this:

Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" \
    cannot list configmaps in the namespace "kube-system"

That sucked. And google proved … reluctant. What I could figure out is:

Causes  

  • kops sets up the cluster with RBAC enabled (which is good)
  • helm (well, tiller) uses a standard role for doing things (which might be ok, at least it was with my stackpoint cluster), but in that case (for whatever reason) it did not have sufficient privileges
  • so we need to prepare some cluster admin roles for helm to use

Fixes  

Just do exactly as it says in the helm docs 🙂 :

  • apply the RBAC yaml file which creates the kube-system/tiller service account, and binds this to the cluster-admin  role.
  • install helm with: helm init -service-account tiller

Is that secure? Not so much. With helm you can still do anything to the cluster at all. I might get to this in a later post.

 Build your own PaaS with Dokku
GitLab spot runners & Puppet 
On this page:
    • Causes
    • Fixes
In case you want to follow me

Here are some links. The further to the right, the less active.

           
(c) Axel Bock | Powered by Hinode.
Link copied to clipboard
Code copied to clipboard