helm ν¨ν€μ§λ₯Ό μ€μΉν λ λ€μκ³Ό κ°μ μ€λ₯κ° λ°μνμ΅λλ€.
[root@k8s-master3 ~]# helm install --name nginx stable/nginx-ingress
Error: release nginx failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
λ΄ μ‘°ν λ²μ μ λ€μκ³Ό κ°μ΅λλ€.
[root@k8s-master3 ~]# helm version
Client: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
κ·Έλ¦¬κ³ λ΄ kubectl λ²μ :
[root@k8s-master3 ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"8+", GitVersion:"v1.8.1-alicloud", GitCommit:"19408ab2a1b736fe97a9d9cf24c6fb228f23f12f", GitTreeState:"clean", BuildDate:"2017-10-19T04:05:24Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:16:41Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
μ΄λ€ λμμ μ£Όμλ©΄ κ°μ¬νκ² μ΅λλ€!
κΆνκ³Ό κ΄λ ¨λ λ¬Έμ κ° λ°μν κ² κ°μ΅λλ€.
μ°¨νΈλ₯Ό λ°°ν¬ ν λ rbacλ₯Ό νμ±ν ν μ μμ΅λλ€.
$ helm install --name nginx --set rbac.create=true stable/nginx-ingress
νν
μ¬μ ν μλνμ§ μμ΅λλ€.
μ¬κΈ°μλ κ°μ λ¬Έμ κ° μμ΅λλ€. rbacλ₯Ό νμ±νν΄λ λμμ΄λμ§ μμ΅λλ€.
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-10T13:17:12Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.2", GitCommit:"bdaeafa71f6c7c04636251031f93464384d54963", GitTreeState:"clean", BuildDate:"2017-10-24T19:38:10Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
$ helm install --name my-hdfs-namenode hdfs-namenode-k8s
Error: release my-hdfs-namenode failed: namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
λμμ μ£Όμλ©΄ κ°μ¬νκ² μ΅λλ€!
νμν κ²μ κΈ°λ³Έ μλΉμ€ κ³μ μ ν΅ν΄ κΈ°λ³Έ λ€μ μ€νμ΄μ€μ 리μμ€λ₯Ό μ€μΉν μμλ μ‘μΈμ€ κΆνμ λΆμ¬νλ κ²μ λλ€. https://github.com/kubernetes/helm/blob/master/docs/service_accounts.md μ°Έμ‘°
μλ
νμΈμ, @bacongobbler
λμ μ£Όμ
μ κ°μ¬ν©λλ€. μμμ μΈκΈ ν μ§μΉ¨μ λ°λ₯΄κ³ λ€μ μμ
μ μννμ΅λλ€.
μ°μ , λλ κ²½μ΄κΈ°λ₯Ό μ¬μ€μ νμ΅λλ€.
helm reset --force
μ΄λ κ² ν ν RBAC yaml νμΌμ λ§λλλ€.
[root@k8s-master3 ~]# cat rbac-config.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: default
κ·Έλ¦¬κ³ λ΄ κ²½μ΄κΈ°λ₯Ό μ΄κΈ°ννμμμ€.
helm init --service-account tiller --upgrade -i registry.cn-hangzhou.aliyuncs.com/google_containers/tiller:v2.7.0 --stable-repo-url https://kubernetes.oss-cn-hangzhou.aliyuncs.com/charts
κ·Έλ¬λ κ²½μ΄κΈ°κ° μ±κ³΅μ μΌλ‘ μ€μΉλμ§ μμμ΅λλ€.
[root@k8s-master3 ~]# helm version
Client: &version.Version{SemVer:"v2.7.0", GitCommit:"08c1144f5eb3e3b636d9775617287cc26e53dba4", GitTreeState:"clean"}
Error: cannot connect to Tiller
κ·Έλ¦¬κ³ kube-system
λ€μ μ€νμ΄μ€μμ λ°°ν¬λ₯Ό μ¬λ΄νλ κ²μ λ€μκ³Ό κ°μ΅λλ€.
[root@k8s-master3 ~]# kubectl get deployments --all-namespaces
NAMESPACE NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
ci jenkins 1 1 1 1 5d
default redis-master 1 1 1 0 4d
kube-system default-http-backend 1 1 1 1 5d
kube-system heapster 1 1 1 1 5d
kube-system kube-dns 1 1 1 1 5d
kube-system kubernetes-dashboard 1 1 1 1 5d
kube-system monitoring-influxdb 1 1 1 1 5d
kube-system nginx-ingress-controller 1 1 1 1 5d
kube-system tiller-deploy 1 0 0 0 9m
μ΄ λ¬Έμ λ₯Ό ν΄κ²°νλ λ°©λ²μ λν μμ΄λμ΄κ° μμ΅λκΉ?
미리 κ°μ¬λ립λλ€!
@noprom μ΄κ²μ μλνμμμ€
μλμΌλ‘ νΈλ¬ λ°°ν¬ μμ
νΈλ¬μ λν μ΄λ¬ν rbac κ΅¬μ± μμ±
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: ""
ν΄λΉ rbac ꡬμ±μμ delete (yes delete) μ€ν
λ€μ λ§λ€κΈ° μ€ν
κ·Έλ° λ€μ helm init --upgradeλ₯Ό μ€ννμ¬
λ μ΄μ μ€λ₯κ° μμ΄μΌν©λλ€.
λΏ‘λΏ‘
ν°! κ°μ¬ν©λλ€.μ΄ λ¬Έμ λ₯Ό ν΄κ²°νμ΅λλ€.
κ°μ¬ν©λλ€!
λμ μ€ μμμ΄μ κΈ°λ» :)
λΏ‘λΏ‘
νμμ μΈ ν¬μ€νΈ! π
κ°μ¬!
μλ μλνμ§ μμ΅λλ€ μ¬μ ν μ μ
namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
νΈλ¬λ₯Ό λ°°ν¬ ν κΆνμ΄ μκΈ° λλ¬Έμ κ³μ μ μΆκ°νμΈμ.
kubectl --namespace kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller-cluster-rule \
--clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl --namespace kube-system patch deploy tiller-deploy \
-p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
μ½μ μΆλ ₯ :
serviceaccount "tiller" created
clusterrolebinding "tiller-cluster-rule" created
deployment "tiller-deploy" patched
κ·Έλ° λ€μ μλ λͺ λ Ήμ μ€ννμ¬ νμΈνμμμ€.
helm list
helm repo update
helm install --name nginx-ingress stable/nginx-ingress
@ykfq κ°μ¬ν©λλ€, μλν©λλ€! νμ§λ§ μ ν΄λ¬μ€ν°μ λ°°ν¬ ν λλ§λ€ μ΄λ κ²ν΄μΌν©λκΉ? μ λ§ λΆνΈν©λλ€!
λΏ‘ λΉ΅λ¨
곡μ κ²½μ΄κΈ° μ€μΉ μ§μΉ¨ μ μ¬μ©νλ κ²½μ° λ€μμ μνν΄μΌν©λλ€.
helm init
μ¬μ©μ μμ± λ λ°°ν¬ ν¨μΉλ°λΌμ λ μ½κ² λ§λλ λ λ€λ₯Έ λ°©λ²μ΄ μμ΅λλ€-yaml νμΌμ ν΅ν΄ μ€μΉνμμμ€.
vim tiller.yaml
apiVersion: v1
kind: Service
metadata:
name: tiller-deploy
namespace: kube-system
labels:
app: helm
name: tiller
spec:
ports:
- name: tiller
port: 44134
protocol: TCP
targetPort: tiller
selector:
app: helm
name: tiller
type: ClusterIP
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: tiller-deploy
namespace: kube-system
labels:
app: helm
name: tiller
annotations:
deployment.kubernetes.io/revision: "5"
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
template:
metadata:
labels:
app: helm
name: tiller
spec:
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
name: tiller
image: gcr.io/kubernetes-helm/tiller:v2.8.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
name: http
protocol: TCP
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: Always
serviceAccount: tiller
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-cluster-rule
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: ""
κ·Έλ° λ€μ 리μμ€λ₯Ό λ§λλλ€.
kubectl create -f tiller.yaml
μλΉμ€λ₯Ό νμΈνμμμ€.
μμ yaml μ½ν μΈ λ λ€μ λͺ λ Ήμ μ¬μ©νμ¬ μ€νμ€μΈ ν΄λ¬μ€ν°μμ λ΄λ³΄λμ΅λλ€.
kubectl -n kube-system get svc tiller-deploy -o=yaml
kubectl -n kube-system get deploy tiller-deploy -o=yaml
kubectl -n kube-system get sa tiller -o=yaml
kubectl -n kube-system get clusterrolebinding tiller-cluster-rule -o=yaml
μ΄ yamlμ μμ§ ν μ€νΈλμ§ μμμ΅λλ€. μ§λ¬Έμ΄ μμΌμλ©΄ μ견μ λ¨κ²¨μ£ΌμΈμ.
@ykfq Tillerμ μ 체 ν΄λ¬μ€ν° κ΄λ¦¬μ κΆνμ λΆμ¬νλ μμ΄λμ΄κ° λ§μμ λ€μ§ μμ§λ§ λ€λ₯Έ κ²μ λλ₯Ό μν΄ μΌνμ§ μμμ΅λλ€. μ΄ μλ₯Ό λ°λΌ μλνμ΅λλ€. Tillerκ° λ΄κ° μλνλλ‘ νμ© ν λ€μ μ€νμ΄μ€μμλ§ μλνλλ‘ μ ννλ €κ³ νμ΅λλ€.
κ·Έλ¬λ νμμ΄ λ¬Έμ κ° λ°μνμ΅λλ€ (Concourse λ°°ν¬).
Error: release concourse failed: namespaces "concourse" is forbidden: User "system:serviceaccount:tiller-system:tiller-user" cannot get namespaces in the namespace "concourse": Unknown user "system:serviceaccount:tiller-system:tiller-user"
νΉμ μμ λ₯Ό μλμν€λ λ°©λ²μ λν μμ΄λμ΄κ° μμ΅λκΉ? λͺ κ°μ§ λ§€κ° λ³μλ₯Ό λ³κ²½νλλ° RBACκ°μλ μ 체 YAMLμ λ€μκ³Ό κ°μ΅λλ€.
apiVersion: v1
kind: Namespace
metadata:
name: tiller-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller-user
namespace: tiller-system
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-manager
namespace: tiller-system
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["configmaps"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-binding
namespace: tiller-system
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Namespace
metadata:
name: concourse
---
apiVersion: v1
kind: Namespace
metadata:
name: concourse-main
----
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-role
namespace: concourse
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-namespace-role
namespace: concourse
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["namespaces"]
verbs: ["*"]
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-main-role
namespace: concourse-main
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-main-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-main-role
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-role
apiGroup: rbac.authorization.k8s.io
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller-concourse-namespace-role
subjects:
- kind: ServiceAccount
name: tiller-user
namespace: tiller-system
roleRef:
kind: Role
name: tiller-concourse-namespace-role
apiGroup: rbac.authorization.k8s.io
helm init --upgrade --service-account tiller
@brunoban helm v3λ νΈλ¬λ₯Ό μ κ±°νλ―λ‘ κΆνμ μ μ©ν μ¬μ©μκ° κΆνμ μ΄ν΄ ν κ²μ λλ€.
@innovia μ€ ... λͺ°λμ΄μ. κ·ΈλΌ μ΄μ μλλ₯Ό λΌ κ²μ λλ€. κ°μ¬!
κ·Έλ° λ€μ helm init --upgradeλ₯Ό μ€ννμ¬
@innovia rbac κ΅¬μ± νμΌμ μ΄λμ λ£μκΉμ?
@cjbottaro λ΄κ° λ€μ μ€νμ΄μ€ λΉ helm λ° tillerλ₯Ό μ€μ νκΈ° μν΄ Hwoλ₯Ό μμ±ν κ²μλ¬Όμ μ½μμ΅λκΉ?
μ§λ¬Έμ λ°λ₯΄μ§ μμ΅λλ€. λ€μ μ€λͺ ν΄ μ£Όμκ² μ΅λκΉ?
@innovia Nevermind, λλ κ·Έκ²μ μμ λμ΅λλ€. κ·Έλ₯ λ¬λ €μΌ νμ΄
kubectl create -f tiller.yaml
helm init --upgrade --service-account tiller
μ΄κ²μ λλ₯Ό μν΄ μΌνμ΅λλ€.
kubectl --namespace kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount = kube- system : tiller
helm init --service-account tiller --upgrade
λλ "Deploy Tiller in a namespace, limited to deploying resources only in that namespace"μ λν 곡μ Helm λ¬Έμ λ₯Ό λ°λ₯΄κ³ μμ΅λλ€. λ΄ bash μ€ν¬λ¦½νΈλ λ€μκ³Ό κ°μ΅λλ€.
Namespace="$1"
kubectl create namespace $Namespace
kubectl create serviceaccount "tiller-$Namespace" --namespace $Namespace
kubectl create role "tiller-role-$Namespace" /
--namespace $Namespace /
--verb=* /
--resource=*.,*.apps,*.batch,*.extensions
kubectl create rolebinding "tiller-rolebinding-$Namespace" /
--namespace $Namespace /
--role="tiller-role-$Namespace" /
--serviceaccount="$Namespace:tiller-$Namespace"
helm upgrade
μ€ννλ©΄ λ€μ μ€λ₯κ° λ°μν©λλ€.
μ€λ₯ : μ κ·Έλ μ΄λ μ€ν¨ : configmapsλ κΈμ§λμ΄ μμ΅λλ€ : μ¬μ©μ " system : serviceaccount : kube- system : default "λ λ€μ μ€νμ΄μ€ "kube-system"μ configmapμ λμ΄ ν μ μμ΅λλ€.
곡μ λ¬Έμμ λ²κ·Έκ° μμ΅λκΉ? λ΄κ° μλͺ» μ½μμ΅λκΉ?
helm init
λν μ 체 λͺ
λ Ήμ 무μμ
λκΉ? μ΄κ²μ λν΄ λ³λμ ν°μΌμ μ΄ μ μμ΅λκΉ?
@bacongobbler μ¬κΈ°λ‘ μ΄μ μ΄λ https://github.com/helm/helm/issues/4933
μλ μλνμ§ μμ΅λλ€ μ¬μ ν μ μ
namespaces "default" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "default"
μλ λͺ λ Ήμ λ°λ₯΄μμμ€
helm init --service-account tiller --upgrade -i registry.cn-hangzhou.aliyuncs.com/google_containers/ tiller : v2.14.0 --stable-repo-url https : //kubernetes.oss-cn-hangzhou.aliyuncs .com / charts
νμν κ²μ κΈ°λ³Έ μλΉμ€ κ³μ μ ν΅ν΄ κΈ°λ³Έ λ€μ μ€νμ΄μ€μ 리μμ€λ₯Ό μ€μΉν μμλ μ‘μΈμ€ κΆνμ λΆμ¬νλ κ²μ λλ€. https://github.com/kubernetes/helm/blob/master/docs/service_accounts.md μ°Έμ‘°
νμΌ μ΄λ¦μ μ΄μ rbac.md
μ΄κ³ λ§ν¬λ https://github.com/helm/helm/blob/master/docs/rbac.mdμ μμ΅λλ€.
νΈλ¬λ₯Ό λ°°ν¬ ν κΆνμ΄ μκΈ° λλ¬Έμ κ³μ μ μΆκ°νμΈμ.
kubectl --namespace kube-system create serviceaccount tiller kubectl create clusterrolebinding tiller-cluster-rule \ --clusterrole=cluster-admin --serviceaccount=kube-system:tiller kubectl --namespace kube-system patch deploy tiller-deploy \ -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
μ½μ μΆλ ₯ :
serviceaccount "tiller" created clusterrolebinding "tiller-cluster-rule" created deployment "tiller-deploy" patched
κ·Έλ° λ€μ μλ λͺ λ Ήμ μ€ννμ¬ νμΈνμμμ€.
helm list helm repo update helm install --name nginx-ingress stable/nginx-ingress
κ²½μ΄κΈ° μ€μΉ λ¬Έμλ₯Όμ΄ μ νν μ§μΉ¨μΌλ‘ μ
λ°μ΄νΈνλ©΄ μ’μ κ²μ
λλ€.
λλ λ€μκ³Ό κ°μ yamlμ κ°μ§κ³ μμλ€.
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: ""
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
λ΄κ° λ§λ€λ©΄μ΄ yamlμμ tiller deployment
κ° λλ½ λμλμ?
helm init --upgrade --service-account tiller
μμ λͺ λ Ήμμ΄ λ¬Έμ λ₯Ό ν΄κ²°ν©λλ€. μ²μμλμ΄ λ¨κ³λ₯Ό μ κ·Ή κΆμ₯ν©λλ€. :)
κ°μ₯ μ μ©ν λκΈ
νΈλ¬λ₯Ό λ°°ν¬ ν κΆνμ΄ μκΈ° λλ¬Έμ κ³μ μ μΆκ°νμΈμ.
μ½μ μΆλ ₯ :
κ·Έλ° λ€μ μλ λͺ λ Ήμ μ€ννμ¬ νμΈνμμμ€.