helm list : cannot list configmaps in the namespace "kube-system"

Question

I have installed helm 2.6.2 on the kubernetes 8 cluster. helm init worked fine. but when I run helm list it giving this error.

 helm list
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

How to fix this RABC error message?

score 236 · Accepted Answer · edited Apr 03 '19 at 13:38

236

Once these commands:

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'      
helm init --service-account tiller --upgrade

were run, the issue has been solved.

edited Apr 03 '19 at 13:38

030

10,842
12
78
123

answered Oct 11 '17 at 12:29

sfgroups

18,151
28
132
204

11

Note that this assigns `--clusterrole=cluster-admin`, which will certainly fix permissions problems, but might not be the fix you want. It's better to create your own service accounts, (cluster)roles, and (cluster)rolebindings with the exact permissions you need. – Curtis Mattoon Sep 28 '18 at 20:09
2

`The accepted answer gives full admin access to Helm which is not the best solution security wise` (see https://stackoverflow.com/a/53277281/2777965). – 030 Apr 03 '19 at 13:39
1

when run "init", must have "--upgrade", other questions don't mention it. – heavenwing Jul 14 '19 at 00:49
When I run `kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'` I get `Error from server (NotFound): deployments.extensions "tiller-deploy" not found` – Magick Nov 22 '19 at 02:31

Muhammad Rehan Saeed · Answer 2 · 2019-02-07T16:55:05.963

More Secure Answer

The accepted answer gives full admin access to Helm which is not the best solution security wise. With a little more work, we can restrict Helm's access to a particular namespace. More details in the Helm documentation.

$ kubectl create namespace tiller-world
namespace "tiller-world" created
$ kubectl create serviceaccount tiller --namespace tiller-world
serviceaccount "tiller" created

Define a Role that allows Tiller to manage all resources in tiller-world like in role-tiller.yaml:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]

Then run:

$ kubectl create -f role-tiller.yaml
role "tiller-manager" created

In rolebinding-tiller.yaml,

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: tiller-world
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: tiller-world
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io

Then run:

$ kubectl create -f rolebinding-tiller.yaml
rolebinding "tiller-binding" created

Afterwards you can run helm init to install Tiller in the tiller-world namespace.

$ helm init --service-account tiller --tiller-namespace tiller-world

Now prefix all commands with --tiller-namespace tiller-world or set TILLER_NAMESPACE=tiller-world in your environment variables.

More Future Proof Answer

Stop using Tiller. Helm 3 removes the need for Tiller completely. If you are using Helm 2, you can use helm template to generate the yaml from your Helm chart and then run kubectl apply to apply the objects to your Kubernetes cluster.

helm template --name foo --namespace bar --output-dir ./output ./chart-template
kubectl apply --namespace bar --recursive --filename ./output -o yaml

Note, once you do this you will need to prefix all helm commands with `--tiller-namespace tiller-world` or set `TILLER_NAMESPACE=tiller-world` in your environment variables. — spuder, Jan 14 '19 at 21:41
Totally agree with the future proof answer. The helm folks seem to realise that the RBAC stuff made things too complex to manage. They are only at alpha, but worth a look: [Helm 3, alpha 1](https://github.com/helm/helm/releases/tag/v3.0.0-alpha.1) — Richard, May 25 '19 at 19:10
Agreed, RBAC is a bit much to get your hands on at first. I'm still struggling with it but making progress. — coreyperkins, Jun 20 '19 at 21:33
Is the Persistent Volumes creation the accept practice by helm? Should we create also another cluster-role and binding for this case? — Sawyer, Aug 06 '19 at 09:01

suresh Palemoni · Answer 3 · 2018-07-16T19:02:19.180

20

Helm runs with "default" service account. You should provide permissions to it.

For read-only permissions:

kubectl create rolebinding default-view --clusterrole=view --serviceaccount=kube-system:default --namespace=kube-system

For admin access: Eg: to install packages.

kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default

edited Jul 16 '18 at 19:02

answered Jul 16 '18 at 14:12

suresh Palemoni

1,138
14
12

After running `kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default`, and then run `helm list` I still get `Error: configmaps is forbidden: User "system:serviceaccount:tiller:default" cannot list configmaps in the namespace "tiller": no RBAC policy matched` – Magick Nov 22 '19 at 02:32

score 4 · Answer 4 · answered Oct 11 '17 at 01:03

The default serviceaccount does not have API permissions. Helm likely needs to be assigned a service account, and that service account given API permissions. See the RBAC documentation for granting permissions to service accounts: https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions

score 0 · Answer 5 · answered Feb 28 '19 at 18:37

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

kubectl apply -f your-config-file-name.yaml

and then update helm instalation to use serviceAccount:

helm init --service-account tiller --upgrade

score 0 · Answer 6 · answered Sep 04 '19 at 07:59

I got a this error while trying to install tiller in offline mode, I thought the 'tiller' service account didn't have enough rights but at it turns out that a network policy was blocking the communication between tiller and the api-server.

The solution was to create a network policy for tiller allowing all egress communication of tiller

bczoma · Answer 7 · 2019-12-06T21:15:45.817

0

export TILLER_NAMESPACE=<your-tiller-namespace> solved it for me, if <your-tiller-namespace> is not kube-system. This points the Helm client to the right Tiller namespace.

edited Dec 06 '19 at 21:15

answered Dec 06 '19 at 19:46

bczoma

181
2
10

score 0 · Answer 8 · edited May 12 '20 at 09:54

0

If you are using an EKS cluster from AWS and are facing the forbidden issue ( eg: forbidden: User ... cannot list resource "jobs" in API group "batch" in the namespace "default" then this worked for me:

Solution:

Ensure you have configured AWS
Ensure that configured user has the permission to access the cluster.

edited May 12 '20 at 09:54

Bruce Becker

335
1
6
23

answered Mar 25 '20 at 11:06

Kiruthika kanagarajan

824
9
12

helm list : cannot list configmaps in the namespace "kube-system"

8 Answers8

More Secure Answer

More Future Proof Answer

Linked