https://devopstales.github.io/kubernetes/k8s-helm-rbac/

[utterances-bot]

RBAC permissions for Helm - devopstales

https://devopstales.github.io/kubernetes/k8s-helm-rbac/

[roshithrajan]

instead of service account can we give access to specific ad group , i have give role and role binding to one name space for AD group , but when the user is tried to install the application to the specific name it not allowing , how we can fix this issue?

[devopstales]

Hi @roshithrajan I want to clarify some tings first. This post is based on helm2. That is outdated now, we use helm3. As you can see in the post at helm2 there is a server-side component called tiller, that is running in a pod. Yo can t run a pod as a user just as a service account. So if you use helm2 this is the only way. At helm3 there is no tiller. It runs all the actions in the name of the user. So you need to add privileges to the user. If you use groups you can add troth the groups.

[roshithrajan]

Thank you for the replay and i am using helm 3 and created a name space and given below role and rolebinding to the specific group , but when the user tired to install the cert-manager using helm

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-full-access
namespace: cert-manager
rules:

• apiGroups: ["", "extensions", "apps"]
  resources: [""]
  verbs: [""]
• apiGroups: ["batch"]
  resources:
  • jobs
  • cronjobs
    verbs: ["*"]

Error:-

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml
W0710 11:19:02.462140 5805 azure.go:92] WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "certificaterequests.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "certificaterequests.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "certificates.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "certificates.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "challenges.acme.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "challenges.acme.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "clusterissuers.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "clusterissuers.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "issuers.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "issuers.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Error from server (Forbidden): error when retrieving current configuration of:
Resource: "apiextensions.k8s.io/v1, Resource=customresourcedefinitions", GroupVersionKind: "apiextensions.k8s.io/v1, Kind=CustomResourceDefinition"
Name: "orders.acme.cert-manager.io", Namespace: ""
from server for: "https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml": customresourcedefinitions.apiextensions.k8s.io "orders.acme.cert-manager.io" is forbidden: User "[email protected]" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope