How to scope a custom Tiller install to a Project

This document (000020053) is provided subject to the disclaimer at the end of this document.

Situation

Task

By default, Helm v2 will deploy Tiller into the kube-system namespace. Use of Tiller in this state to deploy charts requires more permissions than a Project Owner/Member would typically have.

If, for some reason, you do not want to use Rancher Apps or you need to use the Helm v2 CLI to deploy/manage a chart in a downstream Project, then it is possible to create a custom Tiller deployment and scope it to your Project.

Pre-requisites

  • kubectl access to the downstream cluster your Project resides in. For the initial setup, you will need full cluster-admin
  • Helm v2 binary. See here for install information.
  • Project created with namespaces you are planning on managing with Tiller. For the purposes of demonstration we are calling them project-x-tiller-deploy(the namespace we're installing Tiller into) and project-x-namespaceA(the namespace we want to manage with Tiller).

Setup

First, you will need to define a ServiceAccount and permissions for Tiller to use:

  • Create a ClusterRole for Tiller(we will bind this to specific namespaces later on):
    cat <<EOF | kubectl apply -f -
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: tiller-project-x
    rules:
    - apiGroups: ["", "batch", "extensions", "apps"]
      resources: ["*"]
      verbs: ["*"]
    EOF
  • Create a ServiceAccount in the namespace you want Tiller to run in(within the same Project):
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: tiller
      namespace: project-x-tiller-deploy
    EOF
  • Create RoleBindings to link the ClusterRole to the Tiller ServiceAccount:
    cat <<EOF | kubectl apply -f -
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: tiller-rolebinding-project-x-namespaceA
      namespace: project-x-namespaceA
    subjects:
    - kind: ServiceAccount
      name: tiller
      namespace: project-x-tiller-deploy
    roleRef:
      kind: ClusterRole
      name: tiller-project-x
      apiGroup: rbac.authorization.k8s.io
    EOF

A separate RoleBinding is required for every namespace you want to manage with Tiller, so repeat the RoleBinding above for each namespace in your Project, changing namespace: project-x-namespaceA as needed.

Once the ClusterRole, ServiceAccount, and RoleBindings are created, Helm can be instructed to deploy Tiller to the desired namespace using the ServiceAccount you created: helm init --service-account tiller --tiller-namespace project-x-tiller-deploy

You can now deploy using Helm. You will either need to set the environment variable TILLER_NAMESPACE to the namespace Tiller was deployed in, or specify it when running helm with --tiller-namespace. Not setting this will result in helm being unable to find Tiller and throwing the error Error: could not find tiller

Further reading

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020053
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center