我正在尝试使用Helm Provider使用以下terraform脚本安装头盔
data "google_client_config" "current" {}
provider "helm" {
tiller_image = "gcr.io/kubernetes-helm/tiller:${var.helm_version}"
max_history = 250
kubernetes {
host = "${google_container_cluster.eu.endpoint}"
token = "${data.google_client_config.current.access_token}"
client_certificate = "${base64decode(google_container_cluster.eu.master_auth.0.client_certificate)}"
client_key = "${base64decode(google_container_cluster.eu.master_auth.0.client_key)}"
cluster_ca_certificate = "${base64decode(google_container_cluster.eu.master_auth.0.cluster_ca_certificate)}"
}
}
resource "helm_release" "mydatabase" {
name = "mydatabase"
chart = "stable/mariadb"
set {
name = "mariadbUser"
value = "foo"
}
set {
name = "mariadbPassword"
value = "qux"
}
}
但是出现以下错误
* helm_release.mydatabase: 1 error(s) occurred:
* helm_release.mydatabase: error installing: deployments.extensions is forbidden: User "client" cannot create deployments.extensions in the namespace "kube-system"
我认为当terraform头盔提供商尝试安装分attempts时任何人都可以帮助
答案 0 :(得分:0)
好的,您的方法正确,但是..在这里,我同意@hk'。
helm_release.mydatabase:安装错误:deployments.extensions为 禁止:用户“客户端”无法在 命名空间“ kube-system
以上错误仅属于授权。 在Helm provider的安装和配置过程中,很多人遇到困难。例如github open issue。有一些想法可能会对您有所帮助。
本文helm provider is Pain中介绍了可能对您有用的方法。 其中有一种对人有用的解决方案。
再试一次:
resource "kubernetes_service_account" "tiller" {
metadata {
name = "tiller"
namespace = "kube-system"
}
automount_service_account_token = true
}
resource "kubernetes_cluster_role_binding" "tiller" {
metadata {
name = "tiller"
}
role_ref {
kind = "ClusterRole"
name = "cluster-admin"
api_group = "rbac.authorization.k8s.io"
}
subject {
kind = "ServiceAccount"
name = "tiller"
api_group = ""
namespace = "kube-system"
}
}
provider "helm" {
version = "~> 0.7"
debug = true
install_tiller = true
service_account = "${kubernetes_service_account.tiller.metadata.0.name}"
namespace = "${kubernetes_service_account.tiller.metadata.0.namespace}"
tiller_image = "gcr.io/kubernetes-helm/tiller:v2.11.0"
kubernetes {
config_path = "~/.kube/${var.env}"
}
}
或
resource "kubernetes_service_account" "tiller" {
metadata {
name = "tiller"
namespace = "kube-system"
}
}
resource "kubernetes_cluster_role_binding" "tiller" {
metadata {
name = "tiller"
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = "system:serviceaccount:kube-system:tiller"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
depends_on = ["kubernetes_service_account.tiller"]
}
provider "helm" {
tiller_image = "gcr.io/kubernetes-helm/tiller:v2.12.3"
install_tiller = true
service_account = "tiller"
namespace = "kube-system"
}
答案 1 :(得分:-1)
与角色和授权有关的问题。使用“头盔复位”复位头盔,然后运行以下命令来解决您的问题。
curl Repository Import >> get_helm.sh
chmod 700 get_helm.sh
./ get_helm.sh
kubectl创建serviceaccount --namespace kube-system分er器
kubectl创建clusterrolebinding分er-集群规则--clusterrole =集群管理--serviceaccount = kube-system:分耕机
helm init
kubectl补丁程序部署--namespace kube-system tiller-deploy -p'{“ spec”:{“ template”:{“ spec”:{“ serviceAccount”:“ tiller”}}}}}'