Menu
When deploying a service via a Helm Chart, the installation failed because the tiller serviceaccount was not allowed to create a ServiceMonitor resource.
Note:
ServiceMonitor is a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.I wanted to verify the permissions of the tiller serviceaccount.kubectl has the auth can-i command, queries like these (see below) always return no.
kubectl auth can-i list deployment --as=tillerkubectl auth can-i list deployment --as=staging:tillerWhat is the proper way to check permissions for a serviceaccount?
How to enable the tiller account to create a ServiceMonitor resource?
788
We will also assume that RBAC has been enabled in your cluster through the --authorization-mode=RBAC option in your Kubernetes API server. You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .
In Kubernetes, service accounts are used to provide an identity for pods. Pods that want to interact with the API server will authenticate with a particular service account. By default, applications will authenticate as the default service account in the namespace they are running in.
After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.
The correct command is:kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
To check whether the tiller account has the right to create a ServiceMonitor object:kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
Note: to solve my issue with the tiller account, I had to add rights to the servicemonitors resource in the monitoring.coreos.com apiGroup. After that change, the above command returned yes (finally) and the installation of our Helm Chart succeeded.
Updated tiller-manager role:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tiller-manager labels: org: ipos app: tiller annotations: description: "Role to give Tiller appropriate access in namespace" ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace" rules: - apiGroups: ["", "batch", "extensions", "apps"] resources: ["*"] verbs: ["*"] - apiGroups: - monitoring.coreos.com resources: - servicemonitors verbs: - '*' this displays what permissions you have on a service account prom-stack-grafana: e.g.
kubectl -n monitoring auth can-i --list --as=system:serviceaccount:monitoring:prom-stack-grafana
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
