用户“系统:服务帐户:tiller-world:tiller”无法在API组"rbac.authorization.k8s.io“中在集群范围内创建资源”集群角色“

Question

我正试图跟随TILLER和基于角色的访问控制，但最后却遇到安装失败，我想不出我错过了什么。

$ kubectl create namespace tiller-world
namespace/tiller-world created
$ kubectl create serviceaccount tiller --namespace tiller-world
serviceaccount/tiller created
$ kubectl create -f role-tiller.yaml
role.rbac.authorization.k8s.io/tiller-manager created
$ kubectl create -f rolebinding-tiller.yaml
rolebinding.rbac.authorization.k8s.io/tiller-binding created
$ helm init --service-account tiller --tiller-namespace tiller-world
$HELM_HOME has been configured at /home/toor/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!
$ 
$ helm version
Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
$ 
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "elastic" chart repository
...Successfully got an update from the "incubator" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈ 
$ 
$ helm install nginx --tiller-namespace tiller-world --namespace tiller-world
Error: failed to download "nginx" (hint: running `helm repo update` may help)
$ 

我也试图安装elasticsearch，但错误不同((

$ helm install --name elasticsearch --namespace=tiller-world elastic/elasticsearch --version 7.2.0
Error: release elasticsearch failed: namespaces "tiller-world" is forbidden: User "system:serviceaccount:kube-system:default" cannot get resource "namespaces" in API group "" in the namespace "tiller-world"
$ 

请给我建议。

@asktyagi

$ helm search nginx
NAME                        CHART VERSION   APP VERSION DESCRIPTION                                                 
stable/nginx-ingress        1.8.1           0.24.1      An nginx Ingress controller that uses ConfigMap to store ...
stable/nginx-ldapauth-proxy 0.1.2           1.13.5      nginx proxy with ldapauth                                   
stable/nginx-lego           0.3.1                       Chart for nginx-ingress-controller and kube-lego            
stable/gcloud-endpoints     0.1.2           1           DEPRECATED Develop, deploy, protect and monitor your APIs...
$ 
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace tiller-world
Error: release edgy-anaconda failed: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
$ 

role-tiller.yaml：

$ cat role-tiller.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
$ 

rolebinding-tiller.yaml：

$ cat rolebinding-tiller.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: tiller-world
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: tiller-world
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io
$ 

helm-user.yaml：

$ cat helm-user.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: helm
  namespace: helm-world
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tiller-user
  namespace: tiller-world
rules:
- apiGroups:
  - ""
  resources:
  - pods/portforward
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-user-binding
  namespace: tiller-world
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-user
subjects:
- kind: ServiceAccount
  name: helm
  namespace: helm-world
$ 

@Yahir Hernández

$ cat rbac-config.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
$ kubectl create -f rbac-config.yaml 
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ 
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace kube-system
Error: release wintering-chinchilla failed: namespaces "kube-system" is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot get resource "namespaces" in API group "" in the namespace "kube-system"
$ 
$ helm install stable/nginx-ingress --namespace kube-system
Error: no available release name found
$ 

Answer 1

第一个Nginx下载错误似乎与stable频道中"nginx“不可用有关：

$ helm repo list|grep stable

特别是对于您的情况，它似乎应该以“稳定器/nginx.”开头，匹配helm search nginx结果。

第二次尝试失败，因为您创建了角色而不是集群角色，图表资源可能需要在集群级别而不是命名空间级别上的授权。

来自文献资料：

可以在名称空间中定义一个角色，其角色，或者在集群范围内定义一个集群role 。

您可以使用ClusterRole来部署需要集群范围权限的图表。