helm: RBAC error when running `helm upgrade --install` in self contained namespace
Setup
- Helm 2.5.0
- Kubernetes 1.6 with RBAC enabled (installed via
kubeadm)
Steps to reproduce
- Create a namespace
kubectl create namespace test-ns
- Set up helm for this namespace (just using the default service account and assigning it full admin which will just be constrained to this namespace via a rolebinding as opposed to a clusterrolebinding):
export TILLER_NAMESPACE=test-ns
kubectl create rolebinding default-admin --clusterrole=cluster-admin --serviceaccount=$TILLER_NAMESPACE:default --namespace=test-ns
helm init
- Now try and install a chart via
helm upgrade --install:
$ helm upgrade postgres stable/postgresql --install
Release "postgres" does not exist. Installing it now.
Error: release postgres failed: User "system:serviceaccount:test-ns:default" cannot get namespaces in the namespace "default". (get namespaces default)
Helm seems to be making a query to the default namespace for some reason, even though it should be contained in the namespace specified by TILLER_NAMESPACE. Specifying --tiller-namespace doesn’t make a difference either.
If you install a chart via the normal install command, it works fine though. Upgrades after that also work as expected:
$ helm install --name=postgres stable/postgresql
NAME: postgres
LAST DEPLOYED: Thu Jun 22 15:32:22 2017
NAMESPACE: test-ns
STATUS: DEPLOYED
...
$ helm upgrade postgres stable/postgresql --install
Release "postgres" has been upgraded. Happy Helming!
LAST DEPLOYED: Thu Jun 22 15:33:06 2017
NAMESPACE: test-ns
STATUS: DEPLOYED
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 16 (8 by maintainers)
It looks like tiller is trying to install into
defaultas it should when--namespaceisn’t specified. I don’t get why the normal install works here though. Try fixing the role as @seh and give it another try. Let us know if you still get the issue after that so we can try to debug it