Я пытаюсь следовать КОНТРОЛЬ ДОСТУПА И ПОЧВЫ И РОЛЬ, но в конце не удается запустить установку, не могу понять, что я пропустил (
$ kubectl create namespace tiller-world
namespace/tiller-world created
$ kubectl create serviceaccount tiller --namespace tiller-world
serviceaccount/tiller created
$ kubectl create -f role-tiller.yaml
role.rbac.authorization.k8s.io/tiller-manager created
$ kubectl create -f rolebinding-tiller.yaml
rolebinding.rbac.authorization.k8s.io/tiller-binding created
$ helm init --service-account tiller --tiller-namespace tiller-world
$HELM_HOME has been configured at /home/toor/.helm.
Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!
$
$ helm version
Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
$
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "elastic" chart repository
...Successfully got an update from the "incubator" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
$
$ helm install nginx --tiller-namespace tiller-world --namespace tiller-world
Error: failed to download "nginx" (hint: running `helm repo update` may help)
$
Я тоже пробовал установить elasticsearch
, но с другой ошибкой ((
$ helm install --name elasticsearch --namespace=tiller-world elastic/elasticsearch --version 7.2.0
Error: release elasticsearch failed: namespaces "tiller-world" is forbidden: User "system:serviceaccount:kube-system:default" cannot get resource "namespaces" in API group "" in the namespace "tiller-world"
$
Пожалуйста, порекомендуйте.
@asktyagi
$ helm search nginx
NAME CHART VERSION APP VERSION DESCRIPTION
stable/nginx-ingress 1.8.1 0.24.1 An nginx Ingress controller that uses ConfigMap to store ...
stable/nginx-ldapauth-proxy 0.1.2 1.13.5 nginx proxy with ldapauth
stable/nginx-lego 0.3.1 Chart for nginx-ingress-controller and kube-lego
stable/gcloud-endpoints 0.1.2 1 DEPRECATED Develop, deploy, protect and monitor your APIs...
$
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace tiller-world
Error: release edgy-anaconda failed: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
$
role-tiller.yaml
:
$ cat role-tiller.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
$
rolebinding-tiller.yaml
:
$ cat rolebinding-tiller.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: tiller-world
subjects:
- kind: ServiceAccount
name: tiller
namespace: tiller-world
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
$
helm-user.yaml
:
$ cat helm-user.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: helm
namespace: helm-world
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tiller-user
namespace: tiller-world
rules:
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tiller-user-binding
namespace: tiller-world
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tiller-user
subjects:
- kind: ServiceAccount
name: helm
namespace: helm-world
$
@Yahir Hernández
$ cat rbac-config.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
$ kubectl create -f rbac-config.yaml
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace kube-system
Error: release wintering-chinchilla failed: namespaces "kube-system" is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot get resource "namespaces" in API group "" in the namespace "kube-system"
$
$ helm install stable/nginx-ingress --namespace kube-system
Error: no available release name found
$
Первая ошибка загрузки Nginx, похоже, связана с "nginx"недоступны в stable
канал:
$ helm repo list|grep stable
В частности, в вашем случае кажется, что он должен начинаться с "стабильный / nginx ...", соответствующий helm search nginx
полученные результаты.
Вторая попытка не удалась, потому что вы создали Роли вместо того Кластерные роли и для ресурсов диаграммы может потребоваться авторизация на уровне кластера, а не на уровне пространства имен.
Из документация:
Роль может быть определена в пространстве имен с помощью Рольили на уровне кластера с ClusterRole.
Вы можете использовать ClusterRole вместо этого для развертывания диаграмм, которым требуются разрешения на уровне кластера.