Charts: [stable/concourse] Concourse helm install fails with ClusterRoleBinding/RBAC error

Created on 12 Jul 2018  路  5Comments  路  Source: helm/charts

Version of Helm and Kubernetes:
Client: v2.9.1
Server: v2.9.1
kubectl / GKE : 1.9

Which chart:
Concourse

What happened:
The helm install stable/concourse fails with error
Error: release concourse failed: clusterroles.rbac.authorization.k8s.io "concourse-web" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]}] user=&{system:serviceaccount:kube-system:default 76979781-bb53-11e7-9ba2-42010af001fd [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]} PolicyRule{NonResourceURLs:["/swagger-2.0.0.pb-v1"], Verbs:["get"]} PolicyRule{NonResourceURLs:["/swagger.json"], Verbs:["get"]}] ruleResolutionErrors=[]

What you expected to happen:
Work

How to reproduce it (as minimally and precisely as possible):
helm install stable/concourse

I have tried creating ClusterRoleBinding and give cluster admin role but seems I am missing some specific role for specific user

kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin --user=$(gcloud config get-value account)

Anything else we need to know:
References:

  1. https://cloud.google.com/solutions/jenkins-on-kubernetes-engine-tutorial
  2. https://blog.heptio.com/security-matters-rbac-in-kubernetes-e369b483c8d8
picture rjain15
👍4

All 5 comments

I have the same issue, have you found a solution as I am not on gcp ? Thx

jmlambert78 picture jmlambert78 on 23 Jul 2018
👍1

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] picture stale[bot] on 22 Aug 2018
👎1

I'm trying to install chart in minikube

Aleksandrs-Mini:~ aleksandr$ helm install --name=concourse --debug stable/concourse
[debug] Created tunnel using local port: '51218'

[debug] SERVER: "127.0.0.1:51218"

[debug] Original chart version: ""
[debug] Fetched stable/concourse to /Users/aleksandr/.helm/cache/archive/concourse-1.16.0.tgz

[debug] CHART PATH: /Users/aleksandr/.helm/cache/archive/concourse-1.16.0.tgz

Error: release concourse failed: clusterroles.rbac.authorization.k8s.io "concourse-web" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["get"]}] user=&{system:serviceaccount:kube-system:default 59fb19a3-fc83-11e7-b0fe-0800279824a8 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

I don't get it what output means...

kondaurovDev picture kondaurovDev on 24 Aug 2018

This is probably because you are trying to install it in a Kubernetes cluster without RBAC. Try creating a values.yml file with the contents:

rbac:
  create: no

And then redeploy with that values file (-f flag).

outworlder picture outworlder on 20 Sep 2018
👍1

worked with rbac enabled. Thanks

rjain15 picture rjain15 on 28 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChrisCooney picture ChrisCooney  路  3Comments
mluedke picture mluedke  路  3Comments
dene14 picture dene14  路  3Comments
rajkumar49 picture rajkumar49  路  3Comments
mickengland picture mickengland  路  3Comments