How to scope a custom Tiller install to a Project
This document (000020053) is provided subject to the disclaimer at the end of this document.
By default, Helm v2 will deploy Tiller into the kube-system namespace. Use of Tiller in this state to deploy charts requires more permissions than a Project Owner/Member would typically have.
If, for some reason, you do not want to use Rancher Apps or you need to use the Helm v2 CLI to deploy/manage a chart in a downstream Project, then it is possible to create a custom Tiller deployment and scope it to your Project.
- kubectl access to the downstream cluster your Project resides in. For the initial setup, you will need full cluster-admin
- Helm v2 binary. See here for install information.
- Project created with namespaces you are planning on managing with Tiller. For the purposes of demonstration we are calling them
project-x-tiller-deploy(the namespace we're installing Tiller into) and
project-x-namespaceA(the namespace we want to manage with Tiller).
First, you will need to define a ServiceAccount and permissions for Tiller to use:
- Create a ClusterRole for Tiller(we will bind this to specific namespaces later on):
cat <<EOF | kubectl apply -f - kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: tiller-project-x rules: - apiGroups: ["", "batch", "extensions", "apps"] resources: ["*"] verbs: ["*"] EOF
- Create a ServiceAccount in the namespace you want Tiller to run in(within the same Project):
cat <<EOF | kubectl apply -f - apiVersion: v1 kind: ServiceAccount metadata: name: tiller namespace: project-x-tiller-deploy EOF
- Create RoleBindings to link the ClusterRole to the Tiller ServiceAccount:
cat <<EOF | kubectl apply -f - kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: tiller-rolebinding-project-x-namespaceA namespace: project-x-namespaceA subjects: - kind: ServiceAccount name: tiller namespace: project-x-tiller-deploy roleRef: kind: ClusterRole name: tiller-project-x apiGroup: rbac.authorization.k8s.io EOF
A separate RoleBinding is required for every namespace you want to manage with Tiller, so repeat the RoleBinding above for each namespace in your Project, changing
namespace: project-x-namespaceAas needed.
Once the ClusterRole, ServiceAccount, and RoleBindings are created, Helm can be instructed to deploy Tiller to the desired namespace using the ServiceAccount you created:
helm init --service-account tiller --tiller-namespace project-x-tiller-deploy
You can now deploy using Helm. You will either need to set the environment variable
TILLER_NAMESPACE to the namespace Tiller was deployed in, or specify it when running helm with
Not setting this will result in helm being unable to find Tiller and throwing the error
Error: could not find tiller
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020053
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com