无法在指定的命名空间上安装 kubernetes 图表 [英] Unable to install kubernetes charts on specified namespace
问题描述
我已经在 Google Kubernetes Engine 上安装了一个集群.
然后,我创建了命名空间暂存"
$ kubectl 获取命名空间默认活动 26mkube-public 活动 26mkube-system Active 26m舞台活动 20m
然后,我切换到在 staging 命名空间中操作
$ kubectl config use-context staging$ kubectl config 当前上下文分期
然后,我在暂存命名空间上使用 helm 安装了 postgresql
helm install --name staging stable/postgresql
但我得到了:
<块引用>错误:发布暂存失败:名称空间暂存"被禁止:用户system:serviceaccount:kube-system:default"无法在名称空间暂存"中获取名称空间:未知用户system:serviceaccount:kube-system:default""
这是什么意思..??如何让它工作..??
谢谢...
由于您的集群启用了 RBAC,您的 tiller
Pod 似乎没有足够的权限.
您正在使用 default
ServiceAccount,它缺乏足够的 RBAC 权限,tiller 需要.
创建 ClusterRole、ClusterRoleBinding 和 ServiceAccount 所需的一切.通过它们,您可以为 Pod 提供必要的权限.
按照以下步骤操作
_1.创建 ClusterRole tiller
种类:ClusterRoleapi版本:rbac.authorization.k8s.io/v1beta1元数据:名称:分蘖规则:- apiGroups: ["*"]资源: ["*"]动词:["*"]
<块引用>
注意:我在这里使用了完全许可.
_2.在 kube-system
命名空间
tiller
$ kubectl create sa tiller -n kube-system
_3.创建 ClusterRoleBinding tiller
种类:ClusterRoleBindingapi版本:rbac.authorization.k8s.io/v1beta1元数据:名称:分蘖科目:- 种类:ServiceAccount名称:分蘖命名空间:kube-systemapi组:"角色参考:种类:集群角色名称:分蘖apiGroup: rbac.authorization.k8s.io
现在您需要在您的分蘖部署中使用此 ServiceAccount.
因为你已经有了,编辑它
$ kubectl edit deployment -n kube-systemtiller-deploy
在PodSpec下将serviceAccountName
设置为tiller
详细了解RBAC
I have installed a cluster on Google Kubernetes Engine.
And then, I created namespace "staging"
$ kubectl get namespaces
default Active 26m
kube-public Active 26m
kube-system Active 26m
staging Active 20m
Then, I switched to operate in the staging namespace
$ kubectl config use-context staging
$ kubectl config current-context
staging
And then, I installed postgresql using helm on staging namespace
helm install --name staging stable/postgresql
But I got:
Error: release staging failed: namespaces "staging" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "staging": Unknown user "system:serviceaccount:kube-system:default"
What does it mean..?? How to get it working..??
Thank youu..
As your cluster is RBAC enabled, seems like your tiller
Pod do not have enough permission.
You are using default
ServiceAccount which lacks enough RBAC permission, tiller requires.
All you need to create ClusterRole, ClusterRoleBinding and ServiceAccount. With them you can provide necessary permission to your Pod.
Follow this steps
_1. Create ClusterRole tiller
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
Note: I have used full permission here.
_2. Create ServiceAccount tiller
in kube-system
namespace
$ kubectl create sa tiller -n kube-system
_3. Create ClusterRoleBinding tiller
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
apiGroup: ""
roleRef:
kind: ClusterRole
name: tiller
apiGroup: rbac.authorization.k8s.io
Now you need to use this ServiceAccount in your tiller Deployment.
As you already have one, edit that
$ kubectl edit deployment -n kube-system tiller-deploy
Set serviceAccountName
to tiller
under PodSpec
Read more about RBAC
这篇关于无法在指定的命名空间上安装 kubernetes 图表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!