Error: error installing: User "system:anonymous" cannot create deployments.extensions in the namespace "kube-system".: "No policy matched.\nUnknown user \"system:anonymous\"" (post deployments.extensions)

[mikhno-s]

Hi,

Have

Helm 2.5.0
Kubernetes 1.6 with RBAC enabled on GCP

Problem

Run this commands in container with kubectl and helm:

$ kubectl config set-credentials $K8S_USER --username=$K8S_USER --password=$K8S_PASS
$ kubectl config set-cluster test-cluster  --server=https://$K8S_SERVER --insecure-skip-tls- verify=$K8S_INSECURE_SKIP_TLS_VERIFY 
$ kubectl config set-context default-context --cluster=$K8S_CLUSTER_NAME --user=$K8S_USER 
$ kubectl config use-context default-context
$ kubectl cluster-info
Kubernetes master is running at https://****

$ helm init
$HELM_HOME has been configured at /config/.helm.
Error: error installing: User "system:anonymous" cannot create deployments.extensions in the namespace "kube-system".: "No policy matched.\nUnknown user \"system:anonymous\"" (post deployments.extensions)

Question

What I might to do for fix this error?

[seh]

You will need to bind sufficient permissions to the Tiller pod's service account in order for it to be able to install the objects requested by your charts. Best is to create a fresh service account for Tiller in the same namespace in which its pod runs (in your case, "kube-system"), then either create a Role in the namespaces into which you intend to install charts or a ClusterRole if you want to share the definition across several namespaces, then create either RoleBinding or ClusterRoleBinding objects to grant these permissions to the aforementioned Tiller-specific service account.

[mikhno-s]

I created manifest with service account and ClusterRoleBinding definition

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
secrets:
  - tiller-secret
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Then added this service user to specification of Tiller

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

Then changed command list for auth in k8s in my pipeline manifest.

begin_script:
  - echo "$CA" > /ca.crt
  - kubectl config set-cluster k8s-cluster --embed-certs=true --server=https://$K8S_SERVER --certificate-authority=/ca.crt
  - kubectl config set-credentials tiller --token=$USER_TOKEN
  - kubectl config set-context k8s-cluster --cluster=k8s-cluster --user=tiller
  - kubectl config use-context k8s-cluster 

$CA and $USER_TOKEN - are the secret variables which saves ca.crt data and tiller user token.

Use these command for getting ca.crt and user_token:

$ secret=$(kubectl get sa tiller -o json --namaspace=kube-system | jq -r .secrets[].name)
$ kubectl get secret $secret -o json | jq -r '.data["ca.crt"]' | base64 -D # $CA
$ kubectl get secret $secret -o json | jq -r '.data["token"]' | base64 -D # $USER_TOKEN

[seh]

Note that helm init honors a --service-account flag as of commit 64e9e47.