Helm: Error: error installing: User "system:anonymous" cannot create deployments.extensions in the namespace "kube-system".: "No policy matched.\nUnknown user \"system:anonymous\"" (post deployments.extensions)

Created on 8 Jul 2017  路  3Comments  路  Source: helm/helm

Hi,

Have

Helm 2.5.0
Kubernetes 1.6 with RBAC enabled on GCP

Problem

Run this commands in container with kubectl and helm:

$ kubectl config set-credentials $K8S_USER --username=$K8S_USER --password=$K8S_PASS
$ kubectl config set-cluster test-cluster  --server=https://$K8S_SERVER --insecure-skip-tls- verify=$K8S_INSECURE_SKIP_TLS_VERIFY 
$ kubectl config set-context default-context --cluster=$K8S_CLUSTER_NAME --user=$K8S_USER 
$ kubectl config use-context default-context
$ kubectl cluster-info
Kubernetes master is running at https://****

$ helm init
$HELM_HOME has been configured at /config/.helm.
Error: error installing: User "system:anonymous" cannot create deployments.extensions in the namespace "kube-system".: "No policy matched.\nUnknown user \"system:anonymous\"" (post deployments.extensions)

Question

What I might to do for fix this error?

questiosupport
Source
picture mikhno-s

All 3 comments

You will need to bind sufficient permissions to the Tiller pod's service account in order for it to be able to install the objects requested by your charts. Best is to create a fresh service account for Tiller in the same namespace in which its pod runs (in your case, "kube-system"), then either create a _Role_ in the namespaces into which you intend to install charts or a _ClusterRole_ if you want to share the definition across several namespaces, then create either _RoleBinding_ or _ClusterRoleBinding_ objects to grant these permissions to the aforementioned Tiller-specific service account.

seh picture seh on 10 Jul 2017
👍1

I created manifest with service account and ClusterRoleBinding definition 

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
secrets:
  - tiller-secret
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Then added this service user to specification of Tiller

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

Then changed command list for auth in k8s in my pipeline manifest. 

begin_script:
  - echo "$CA" > /ca.crt
  - kubectl config set-cluster k8s-cluster --embed-certs=true --server=https://$K8S_SERVER --certificate-authority=/ca.crt
  - kubectl config set-credentials tiller --token=$USER_TOKEN
  - kubectl config set-context k8s-cluster --cluster=k8s-cluster --user=tiller
  - kubectl config use-context k8s-cluster

$CA and $USER_TOKEN - are the secret variables which saves ca.crt data and tiller user token.

Use these command for getting ca.crt and user_token:

$ secret=$(kubectl get sa tiller -o json --namaspace=kube-system | jq -r .secrets[].name)
$ kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D # $CA
$ kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D # $USER_TOKEN
mikhno-s picture mikhno-s on 10 Jul 2017
👍1

Note that _helm init_ honors a --service-account flag as of commit 64e9e471838ac44e551c32abcbd19f671c80ecce.

seh picture seh on 10 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hobti01 picture hobti01  路  3Comments
vdice picture vdice  路  3Comments
dkirrane picture dkirrane  路  3Comments
itnilesh picture itnilesh  路  3Comments
libesz picture libesz  路  3Comments