无法在指定的名称空间上安装kubernetes图表 [英] Unable to install kubernetes charts on specified namespace

问题描述

我已经在Google Kubernetes Engine上安装了一个集群.

I have installed a cluster on Google Kubernetes Engine.

然后，我创建了命名空间"staging"

And then, I created namespace "staging"

$ kubectl get namespaces
default       Active    26m
kube-public   Active    26m
kube-system   Active    26m
staging       Active    20m

然后，我切换为在暂存名称空间中进行操作

Then, I switched to operate in the staging namespace

$ kubectl config use-context staging
$ kubectl config current-context
staging

然后，我在临时名称空间上使用helm安装了postgresql

And then, I installed postgresql using helm on staging namespace

helm install --name staging stable/postgresql

但是我得到了:

错误:版本暂存失败:禁止名称空间暂存":用户"system:serviceaccount:kube-system:default"无法在名称空间"staging"中获取名称空间:未知用户"system:serviceaccount:kube-system:default "

Error: release staging failed: namespaces "staging" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "staging": Unknown user "system:serviceaccount:kube-system:default"

是什么意思.. ??如何使其工作.. ??

What does it mean..?? How to get it working..??

谢谢你.

推荐答案

由于您的群集已启用RBAC，因此您的tiller Pod似乎没有足够的权限.

As your cluster is RBAC enabled, seems like your tiller Pod do not have enough permission.

您正在使用default ServiceAccount，该服务缺乏RBAC权限，分till器要求.

You are using default ServiceAccount which lacks enough RBAC permission, tiller requires.

创建ClusterRole，ClusterRoleBinding和ServiceAccount所需的全部.通过它们，您可以为您的Pod提供必要的权限.

All you need to create ClusterRole, ClusterRoleBinding and ServiceAccount. With them you can provide necessary permission to your Pod.

按照此步骤

_1.创建ClusterRole tiller

_1. Create ClusterRole tiller

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

注意:我已经在这里使用了完全许可权.

Note: I have used full permission here.

_2.在kube-system名称空间中创建ServiceAccount tiller

_2. Create ServiceAccount tiller in kube-system namespace

$ kubectl create sa tiller -n kube-system

_3.创建ClusterRoleBinding tiller

_3. Create ClusterRoleBinding tiller

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: tiller
  apiGroup: rbac.authorization.k8s.io

现在您需要在分till部署中使用此ServiceAccount.

Now you need to use this ServiceAccount in your tiller Deployment.

已经拥有一个，请对其进行编辑

As you already have one, edit that

$ kubectl edit deployment -n kube-system tiller-deploy

在PodSpec下将serviceAccountName设置为tiller

Set serviceAccountName to tiller under PodSpec

详细了解 RBAC

这篇关于无法在指定的名称空间上安装kubernetes图表的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！