Helm: 用户“ system:serviceaccount:kube-system:default”无法在名称空间“ default”中获取名称空间
安装头盔包时,出现如下错误:
[root@k8s-master3 ~]# helm install --name nginx stable/nginx-ingress
Error: release nginx failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
这是我的头盔版本:
[root@k8s-master3 ~]# helm version
Client: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
而我的kubectl版本:
[root@k8s-master3 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.1-alicloud", GitCommit:"19408ab2a1b736fe97a9d9cf24c6fb228f23f12f", GitTreeState:"clean", BuildDate:"2017-10-19T04:05:24Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:16:41Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
任何帮助将不胜感激,非常感谢!
noprom
所有30条评论
看来您遇到了与特权有关的问题。
您可以在部署图表时启用rbac:
$ helm install --name nginx --set rbac.create=true stable/nginx-ingress
flyer103
于 2017-11-13
@ flyer103
它仍然无法正常工作。
noprom
于 2017-11-13
这里同样的问题。 启用rbac并没有帮助。
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-10T13:17:12Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.2", GitCommit:"bdaeafa71f6c7c04636251031f93464384d54963", GitTreeState:"clean", BuildDate:"2017-10-24T19:38:10Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
$ helm install --name my-hdfs-namenode hdfs-namenode-k8s
Error: release my-hdfs-namenode failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
帮助将不胜感激!
owetterau
于 2017-11-13
您需要做的是授予分till(通过默认服务帐户)访问权限以在默认名称空间中安装资源。 参见https://github.com/kubernetes/helm/blob/master/docs/service_accounts.md
bacongobbler
于 2017-11-13
嗨@bacongobbler
感谢帮助。 我已按照您的上述说明进行了以下操作:
首先,我重置分the器:
helm reset --force
完成此操作后,我将创建一个RBAC yaml文件:
[root@k8s-master3 ~]# cat rbac-config.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: default
然后初始化我的分till:
helm init --service-account tiller --upgrade -i registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.7.0 --stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
但是,分er未成功安装:
[root@k8s-master3 ~]# helm version
Client: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
Error: cannot connect to Tiller
我缝在kube-system命名空间中的部署是这样的:
[root@k8s-master3 ~]# kubectl get deployments --all-namespaces
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
ci jenkins 1 1 1 1 5d
default redis-master 1 1 1 0 4d
kube-system default-http-backend 1 1 1 1 5d
kube-system heapster 1 1 1 1 5d
kube-system kube-dns 1 1 1 1 5d
kube-system kubernetes-dashboard 1 1 1 1 5d
kube-system monitoring-influxdb 1 1 1 1 5d
kube-system nginx-ingress-controller 1 1 1 1 5d
kube-system tiller-deploy 1 0 0 0 9m
关于如何解决此问题的任何想法?
提前致谢!
noprom
于 2017-11-14
@noprom试试这个
手动删除分er器的部署
为分er创建这些rbac配置
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: ""
在那个rbac配置上运行delete(yes delete)
再次运行创建
然后运行helm init --upgrade替换
您不应再有任何错误。
innovia
于 2017-11-19
@innovia
伟大的! 谢谢,我已经解决了这个问题。
非常感谢!
noprom
于 2017-11-21
乐于帮助 :)
innovia
于 2017-11-21
@noprom请检查我的帖子,了解如何使用每个名称空间的rbac设置掌舵和耕作机
innovia
于 2017-11-21
@innovia
很棒的帖子!😄
noprom
于 2017-11-21
谢谢!
innovia
于 2017-11-21
以上不起作用仍然得到
namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
mfojtak
于 2017-11-23
那是因为您没有部署分er的权限,请为其添加一个帐户:
kubectl --namespace kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller-cluster-rule \
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl --namespace kube-system patch deploy tiller-deploy \
-p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
控制台输出:
serviceaccount "tiller" created
clusterrolebinding "tiller-cluster-rule" created
deployment "tiller-deploy" patched
然后运行以下命令进行检查:
helm list
helm repo update
helm install --name nginx-ingress stable/nginx-ingress
ykfq
于 2018-03-14
@ykfq非常感谢,它起作用了! 但是每次我们在新集群上部署时,我们都需要这样做吗? 不便之处!
antran89
于 2018-05-30
@ antran89
如果您使用官方的分till安装说明,则必须这样做:
- 创建分till的服务帐户
- 为上面创建的ServiceAccout绑定角色(需要集群管理员角色)
- 为ServiceAccout创建ClusterRoleBinding
- 修补使用
helm init时创建的部署
因此,还有另一种方法可以使它更容易-通过yaml文件安装:
vim tiller.yaml
apiVersion: v1
kind: Service
metadata:
name: tiller-deploy
namespace: kube-system
labels:
app: helm
name: tiller
spec:
ports:
- name: tiller
port: 44134
protocol: TCP
targetPort: tiller
selector:
app: helm
name: tiller
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: tiller-deploy
namespace: kube-system
labels:
app: helm
name: tiller
annotations:
deployment.kubernetes.io/revision: "5"
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
name: tiller
image: gcr.io/kubernetes-helm/tiller:v2.8.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
name: http
protocol: TCP
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
serviceAccount: tiller
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-cluster-rule
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: ""
然后创建资源:
kubectl create -f tiller.yaml
确保检查您的服务。
上面的yaml内容是使用命令从正在运行的集群中导出的:
kubectl -n kube-system get svc tiller-deploy -o=yaml
kubectl -n kube-system get deploy tiller-deploy -o=yaml
kubectl -n kube-system get sa tiller -o=yaml
kubectl -n kube-system get clusterrolebinding tiller-cluster-rule -o=yaml
这款Yaml尚未测试,如果您有任何疑问,请发表评论。
ykfq
于 2018-06-01
@ykfq我不喜欢给Tiller完整的集群管理员特权的想法,但是没有其他办法对我示例进行操作。 我试图将Tiller限制为仅作用于我让它起作用的名称空间。
但是总是遇到这个问题(正在部署Concourse):
Error: release concourse failed: namespaces "concourse" is forbidden: User "system:serviceaccount:tiller-system:tiller-user" cannot get namespaces in the namespace "concourse": Unknown user "system:serviceaccount:tiller-system:tiller-user"
关于如何使该特定示例起作用的任何想法? 我改变了一些参数,整个带有RBAC的YAML都是这样的:
apiVersion: v1
kind: Namespace
metadata:
name: tiller-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller-user
namespace: tiller-system
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-manager
namespace: tiller-system
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["configmaps"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
namespace: tiller-system
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Namespace
metadata:
name: concourse
---
apiVersion: v1
kind: Namespace
metadata:
name: concourse-main
----
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-role
namespace: concourse
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-namespace-role
namespace: concourse
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["namespaces"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-main-role
namespace: concourse-main
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-main-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-main-role
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-role
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-namespace-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-namespace-role
apiGroup: rbac.authorization.k8s.io
brunoban
于 2018-06-04
舵初始化-升级-服务账户分er
banyaszb
于 2018-06-07
@brunoban helm v3将删除分
innovia
于 2018-06-07
@innovia哦...我不知道。 那时就要尝试加快速度。 谢谢!
brunoban
于 2018-06-07
然后运行helm init --upgrade替换
@innovia将rbac配置文件放在哪里?
cjbottaro
于 2018-07-07
@cjbottaro您是否读过我写的Hwo文章,以按名称空间设置掌舵和舵柄?
我不关注您的问题,能否请您重新解释一下?
innovia
于 2018-07-08
@innovia没关系,我知道了。 只是不得不跑
kubectl create -f tiller.yaml
helm init --upgrade --service-account tiller
这为我工作:
kubectl --namespace kube-system创建服务帐户分er
kubectl创建clusterrolebinding分er --clusterrole cluster-admin --serviceaccount = kube- system:tiller
舵初始化-服务帐户分till-升级
qiangli
于 2018-07-25
我遵循的官方Helm文档是“在名称空间中部署Tiller,仅限于仅在该名称空间中部署资源”。 这是我的bash脚本:
Namespace="$1"
kubectl create namespace $Namespace
kubectl create serviceaccount "tiller-$Namespace" --namespace $Namespace
kubectl create role "tiller-role-$Namespace" /
--namespace $Namespace /
--verb=* /
--resource=*.,*.apps,*.batch,*.extensions
kubectl create rolebinding "tiller-rolebinding-$Namespace" /
--namespace $Namespace /
--role="tiller-role-$Namespace" /
--serviceaccount="$Namespace:tiller-$Namespace"
运行helm upgrade给我以下错误:
错误:升级失败:禁止使用configmaps:用户“ system:serviceaccount :kube- system:default ”无法在名称空间“ kube-system”中列出configmaps
官方文档中有错误吗? 我看错了吗?
RehanSaeed
于 2018-11-15
helm init的完整命令是什么? 您能为此另开一张票吗?
bacongobbler
于 2018-11-15
@bacongobbler在此处移动问题https://github.com/helm/helm/issues/4933
RehanSaeed
于 2018-11-16
以上不起作用仍然得到
namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
遵循以下命令:
舵机初始-服务帐户分er-升级-i Registry.cn-hangzhou.aliyuncs.com/google_containers/https://kubernetes.oss-cn-hangzhou.aliyuncs .com / charts
devops-team-92
于 2019-06-10
您需要做的是授予分till(通过默认服务帐户)访问权限以在默认名称空间中安装资源。 参见https://github.com/kubernetes/helm/blob/master/docs/service_accounts.md
文件名现在rbac.md ,链接位于https://github.com/helm/helm/blob/master/docs/rbac.md。
HYChou0515
于 2019-10-18
那是因为您没有部署分er的权限,请为其添加一个帐户:
kubectl --namespace kube-system create serviceaccount tiller kubectl create clusterrolebinding tiller-cluster-rule \ --clusterrole=cluster-admin --serviceaccount=kube-system:tiller kubectl --namespace kube-system patch deploy tiller-deploy \ -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'控制台输出:
serviceaccount "tiller" created clusterrolebinding "tiller-cluster-rule" created deployment "tiller-deploy" patched然后运行以下命令进行检查:
helm list helm repo update helm install --name nginx-ingress stable/nginx-ingress
如果按照这些确切说明更新分till安装文档,那就太好了
我有以下yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: ""
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
如果我是对的,我在此Yaml中缺少tiller deployment ?
ishankhare07
于 2019-10-30
舵初始化-升级-服务账户分er
上面的命令解决了这个问题,强烈建议您首先使用此步骤:)
CloudA2Z-Code
于 2020-02-22
相关问题
dkirrane
·
3评论
sgoings
·
3评论
antoniaklja
·
3评论
macknight
·
3评论
danielcb
·
3评论
最有用的评论
那是因为您没有部署分er的权限,请为其添加一个帐户:
控制台输出:
然后运行以下命令进行检查: