Open in app

Sign in

Write

Sign in

Configuring Your Cluster For helm

Daisuke Maki
2 min readSep 26, 2017

--

In my previous articles, I explained how to configure RBAC for Service Accounts in Kuberentes.

Accessing The Kubernetes API, sans The Proxy

For various reasons, I wanted to access the Kubernetes API from outside of the cluster, but I didn’t want to (couldn’t…

medium.com

Configuring RBAC For Your Kubernetes Service Accounts

In my previous article, I created a Service Account, and used its token and ca.crt file to access the Kuberentes API.

medium.com

However, as of this writing (Sep 2017), there’s one more thing that I needed to handle, related to configuring RBAC, and that was helm.

Helm - The Kubernetes Package Manager

The Kubernetes Package Manager

The Kubernetes Package Managerhelm.sh

RBAC and Helm

By default helm installs a deployment called tiller-deploy into the kube-system namespace. When you enable RBAC, though, doing things like helm list while running things in your regular namespace requires extra authorization to access the resources in the kube-system namespace.

This has been addressed in recent versions of helm by adding the --service-account flag to helm init , so now you can specify the name of a service account that has proper permissions to access tiller-deploy when install helm.

This works perfectly if you are constructing a cluster by hand, or only once, but I needed to be able to create a mechanism in which repeatedly calling the setup tool does The Right Thing, and possibly fix previous problems, if any.

Automation Friendly Setup

The information to make this automation-friendly can be found in the original GitHub issue:

Helm 2.2.3 not working properly with kubeadm 1.6.1 default RBAC rules · Issue #2224 · kubernetes…

When installing a cluster for the first time using kubeadm v1.6.1, the initialization defaults to setting up RBAC…

github.com

Specifically, this comment nails it:

Helm 2.2.3 not working properly with kubeadm 1.6.1 default RBAC rules · Issue #2224 · kubernetes…

When installing a cluster for the first time using kubeadm v1.6.1, the initialization defaults to setting up RBAC…

github.com

And here’s the copy of it, in case you really don’t want to click those links:

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

The point here is to create a Service Account, create a ClusterRoleBinding to cluster-admin so helm is allowed to do interesting things, and then patching the tiller-deploy instance. By doing this through patching, we can safely and gracefully automate the task of apply authorization for both when we have already installed helm, or we’re installing it anew.

And so now, you’re ready to use helm in an RBAC enabled world.

BTW I personally add one more layer of check in my tools for the Service Account and ClusterRoleBindings, so that I only create those when they are not present.

Happy Helming!

Kubernetes
Helm
Rbac
Development
Google Cloud Platform

--

--

Daisuke Maki

Written by Daisuke Maki

1.5K Followers

Go/perl hacker; author of peco; works @ Mercari; ex-mastermind of builderscon; Proud father of three boys;

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams