From e261f44dde521bee47f2b00093f53cfd4af9a949 Mon Sep 17 00:00:00 2001 From: Michael Venezia Date: Fri, 3 Nov 2017 15:48:17 -0400 Subject: [PATCH 1/2] Adding documentation on what rbac privileges are needed for a helm client to connect to tiller --- docs/service_accounts.md | 58 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/docs/service_accounts.md b/docs/service_accounts.md index 612074d03..e04fa7f3d 100644 --- a/docs/service_accounts.md +++ b/docs/service_accounts.md @@ -110,3 +110,61 @@ NAME READY STATUS RESTARTS AGE wayfaring-yak-alpine 0/1 ContainerCreating 0 0s ``` +# Helm and Service Accounts +In order for a helm client to talk to a tiller, it will need certain privileges to be granted. + +Specifically, the helm client will need to be able to `create` `pods/portforward` and +be able to `list` `pods` in the namespace where tiller is running. + +## Example: Service account for a helm client + +In this example, we will assume tiller is running in a namespace called `tiller-world` +and that the helm client is running in a namespace called `helm-world` By default, +tiller is running in the `kube-system` namespace. + +In helm-user.yaml: +```yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: helm-user-serviceaccount + namespace: helm-world +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: Role +metadata: + name: helm-user-role + namespace: tiller-world +rules: +- apiGroups: + - "" + resources: + - pods/portforward + verbs: + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: RoleBinding +metadata: + name: helm-user-role-binding + namespace: tiller-world +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: helm-user-role +subjects: +- kind: ServiceAccount + name: helm-user-serviceaccount + namespace: helm-world +``` + +Please note that the role and rolebindings must be placed in the namespace +that tiller is running in, while the service account must be in the namespace +that the helm client is to be run in. (the pod using the helm client must +be using the service account created here) \ No newline at end of file From 62e2f140270097230557c8f70924fb0c7253774c Mon Sep 17 00:00:00 2001 From: Michael Venezia Date: Fri, 3 Nov 2017 16:12:42 -0400 Subject: [PATCH 2/2] Fixing a couple of styling issues --- docs/service_accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/service_accounts.md b/docs/service_accounts.md index e04fa7f3d..38e422fe1 100644 --- a/docs/service_accounts.md +++ b/docs/service_accounts.md @@ -122,7 +122,7 @@ In this example, we will assume tiller is running in a namespace called `tiller- and that the helm client is running in a namespace called `helm-world` By default, tiller is running in the `kube-system` namespace. -In helm-user.yaml: +In `helm-user.yaml`: ```yaml apiVersion: v1 kind: ServiceAccount @@ -164,7 +164,7 @@ subjects: namespace: helm-world ``` -Please note that the role and rolebindings must be placed in the namespace +Please note that the `role` and `rolebinding` must be placed in the namespace that tiller is running in, while the service account must be in the namespace that the helm client is to be run in. (the pod using the helm client must be using the service account created here) \ No newline at end of file