How to scope a custom Tiller install to a Project

Follow
Table of Contents

Task

By default, Helm v2 will deploy Tiller into the kube-system namespace. Use of Tiller in this state to deploy charts requires more permissions than a Project Owner/Member would typically have.

If, for some reason, you do not want to use Rancher Apps or you need to use the Helm v2 CLI to deploy/manage a chart in a downstream Project, then it is possible to create a custom Tiller deployment and scope it to your Project.

Pre-requisites

  • kubectl access to the downstream cluster your Project resides in. For the initial setup, you will need full cluster-admin
  • Helm v2 binary. See here for install information.
  • Project created with namespaces you are planning on managing with Tiller. For the purposes of demonstration we are calling them project-x-tiller-deploy(the namespace we're installing Tiller into) and project-x-namespaceA(the namespace we want to manage with Tiller).

Setup

First, you will need to define a ServiceAccount and permissions for Tiller to use:

  • Create a ClusterRole for Tiller(we will bind this to specific namespaces later on):
    cat <<EOF | kubectl apply -f -
    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: tiller-project-x
    rules:
    - apiGroups: ["", "batch", "extensions", "apps"]
      resources: ["*"]
      verbs: ["*"]
    EOF
  • Create a ServiceAccount in the namespace you want Tiller to run in(within the same Project):
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: tiller
      namespace: project-x-tiller-deploy
    EOF
  • Create RoleBindings to link the ClusterRole to the Tiller ServiceAccount:
    cat <<EOF | kubectl apply -f -
    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1beta1
    metadata:
      name: tiller-rolebinding-project-x-namespaceA
      namespace: project-x-namespaceA
    subjects:
    - kind: ServiceAccount
      name: tiller
      namespace: project-x-tiller-deploy
    roleRef:
      kind: ClusterRole
      name: tiller-project-x
      apiGroup: rbac.authorization.k8s.io
    EOF

A separate RoleBinding is required for every namespace you want to manage with Tiller, so repeat the RoleBinding above for each namespace in your Project, changing namespace: project-x-namespaceA as needed.

Once the ClusterRole, ServiceAccount, and RoleBindings are created, Helm can be instructed to deploy Tiller to the desired namespace using the ServiceAccount you created: helm init --service-account tiller --tiller-namespace project-x-tiller-deploy

You can now deploy using Helm. You will either need to set the environment variable TILLER_NAMESPACE to the namespace Tiller was deployed in, or specify it when running helm with --tiller-namespace. Not setting this will result in helm being unable to find Tiller and throwing the error Error: could not find tiller

Further reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.