How to scope a custom Tiller install to a Project
This document (000020053) is provided subject to the disclaimer at the end of this document.
Situation
Task
By default, Helm v2 will deploy Tiller into the kube-system namespace. Use of Tiller in this state to deploy charts requires more permissions than a Project Owner/Member would typically have.
If, for some reason, you do not want to use Rancher Apps or you need to use the Helm v2 CLI to deploy/manage a chart in a downstream Project, then it is possible to create a custom Tiller deployment and scope it to your Project.
Pre-requisites
- kubectl access to the downstream cluster your Project resides in. For the initial setup, you will need full cluster-admin
- Helm v2 binary. See here for install information.
- Project created with namespaces you are planning on managing with Tiller. For the purposes of demonstration we are calling them
project-x-tiller-deploy(the namespace we're installing Tiller into) andproject-x-namespaceA(the namespace we want to manage with Tiller).
Setup
First, you will need to define a ServiceAccount and permissions for Tiller to use:
- Create a ClusterRole for Tiller(we will bind this to specific namespaces later on):
cat <<EOF | kubectl apply -f - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: tiller-project-x rules: - apiGroups: ["", "batch", "extensions", "apps"] resources: ["*"] verbs: ["*"] EOF - Create a ServiceAccount in the namespace you want Tiller to run in(within the same Project):
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: tiller namespace: project-x-tiller-deploy EOF - Create RoleBindings to link the ClusterRole to the Tiller ServiceAccount:
cat <<EOF | kubectl apply -f - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: tiller-rolebinding-project-x-namespaceA namespace: project-x-namespaceA subjects: - kind: ServiceAccount name: tiller namespace: project-x-tiller-deploy roleRef: kind: ClusterRole name: tiller-project-x apiGroup: rbac.authorization.k8s.io EOF
A separate RoleBinding is required for every namespace you want to manage with Tiller, so repeat the RoleBinding above for each namespace in your Project, changing
namespace: project-x-namespaceAas needed.
Once the ClusterRole, ServiceAccount, and RoleBindings are created, Helm can be instructed to deploy Tiller to the desired namespace using the ServiceAccount you created:
helm init --service-account tiller --tiller-namespace project-x-tiller-deploy
You can now deploy using Helm. You will either need to set the environment variable TILLER_NAMESPACE to the namespace Tiller was deployed in, or specify it when running helm with --tiller-namespace.
Not setting this will result in helm being unable to find Tiller and throwing the error Error: could not find tiller
Further reading
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020053
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
Run SAP
SUSE for Public Cloud
Security
