无法使用Helm在AWS的kops集群上安装Nginx

Question

i have set up a two node kops cluster. Where i have installed helm tool.

I created my own application specific helm package and installed it through helm and everything works fine.

but when i tried to install nginx through stable helm charts(as specified in standard instructions) i am getting below error,

root@ip-172-31-27-86:~/helm# helm install --name my-nginx stable/nginx-ingress
Error: release tinseled-billygoat failed: clusterroles.rbac.authorization.k8s.io "tinseled-billygoat-nginx-ingress" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["configmaps"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["endpoints"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["secrets"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["nodes"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["update"]} PolicyRule{Resources:["services"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["ingresses"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["create"]} PolicyRule{Resources:["events"], APIGroups:[""], Verbs:["patch"]} PolicyRule{Resources:["ingresses/status"], APIGroups:["extensions"], Verbs:["update"]}] user=&{system:serviceaccount:kube-system:default bdf8f2bc-84e2-11e8-8fa3-02f0fae19e8e [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

helm list, containing chart details.

root@ip-172-31-27-86:/home/appHome/HelmPackages# helm list
NAME            REVISION        UPDATED                         STATUS          CHART                   NAMESPACE
my-nginx        1               Wed Jul 11 11:02:37 2018        FAILED          nginx-ingress-0.22.1    default
nodeapp1        1               Wed Jul 11 10:36:23 2018        DEPLOYED        nodeapp-helm-0.1.0      default

It seems some kind of rbac issue, however i had successfully deployed nginx similary before. But now i am facing this for first time, So not exactly sure where it might be wrong.

Any help appreciated

Answer 1

Sounds like your helm service account does not have some privileges granted that your nginx ingress chart tries to create. RBAC does not allow creation of particular access if user that is doing so does not have this access on it's own, which is pretty logical for avoiding privilege escalation when delegating access.

Answer 2

I tried by re-installing helm with service account,

kubectl create serviceaccount --namespace kube-system tiller kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller helm init --service-account tiller

yet, it was not helpful still faced the same issue.

But as a quick fix for test env, i set this property while installing nginx

--set rbac.create=false

and now Nginx is working fine, but this is not recommended for production servers.

helm install --name my-nginx stable/nginx-ingress --set rbac.create=false