kubernetes helm example

Helm error: cannot list configmaps in the namespace “kube-system”

This tutorial guides you on how to fix kubernetes Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list configmaps in the namespace “kube-system” while running helm init command.

Helm error: cannot list configmaps in the namespace “kube-system”

I tried to install Tiller by following the official documentation.

Note, Tiller is the server portion of Helm and Tiller runs inside your Kubernetes cluster. And Tiller stores its data in Kubernetes configmaps i.e., by default tiller stores release information in configmaps in the namespace where it is running. After installing tiller when I tried to run helm init I got the following error.

$ helm list
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

Solution : Error configmaps is forbidden

There is a special note for RBAC users in the documentation. Most cloud providers enable a feature called Role-Based Access Control – RBAC for short. If your cloud provider enables this feature, you will need to create a service account for Tiller with the right roles and permissions to access resources.

Also, check kubernetes distribution guide for any further instructions on using Helm with your cloud provider. I was trying to install tiller on Google Cloud Platform (GCP). So I did check on how to run Tiller in an RBAC-enabled Kubernetes cluster.

You can create serviceaccount with cluster-admin role , then deploy Tiller in a namespace with restricted deployment so that access provided to the resources only to that namespace as shown below. Afterwards you can run helm init to install/upgrade the tiller.

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'      
helm init --service-account tiller --upgrade

Conclusion

That’s it. A service account has been created in the namespace and cluster-admin role was granted to the specific service account to ensure that our application is operating within the scope that we have specified. Finally, we added the account that we want tiller to use using the following command.

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

At last, run helm init command as shown above. Try to run helm list, the error configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list configmaps in the namespace “kube-system” should have gone away !!

Hope it helped 🙂

You’ll also like:

References

guest
0 Comments
Inline Feedbacks
View all comments