github.com/amy/helm@v2.7.2+incompatible/docs/service_accounts.md (about)

     1  # Tiller and Service Accounts
     2  
     3  In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that your application is operating in the scope that you have specified. Read more about service account permissions [in the official Kubernetes docs](https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions). Bitnami also has a fantastic guide for [configuring RBAC in your cluster](https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/) that takes you through RBAC basics.
     4  
     5  You can add a service account to Tiller using the `--service-account <NAME>` flag while you're configuring helm. As a prerequisite, you'll have to create a role binding which specifies a [role](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) and a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) name that have been set up in advance.
     6  
     7  Once you have satisfied the pre-requisite and have a service account with the correct permissions, you'll run a command like this: `helm init --service-account <NAME>`
     8  
     9  ## Example: Service account with cluster-admin role
    10  
    11  ```console
    12  $ kubectl create serviceaccount tiller --namespace kube-system
    13  ```
    14  
    15  In `rbac-config.yaml`:
    16  ```yaml
    17  apiVersion: v1
    18  kind: ServiceAccount
    19  metadata:
    20    name: tiller
    21    namespace: kube-system
    22  ---
    23  apiVersion: rbac.authorization.k8s.io/v1beta1
    24  kind: ClusterRoleBinding
    25  metadata:
    26    name: tiller
    27  roleRef:
    28    apiGroup: rbac.authorization.k8s.io
    29    kind: ClusterRole
    30    name: cluster-admin
    31  subjects:
    32    - kind: ServiceAccount
    33      name: tiller
    34      namespace: kube-system
    35  ```
    36  
    37  _Note: The cluster-admin role is created by default in a Kubernetes cluster, so you don't have to define it explicitly._
    38  
    39  ```console
    40  $ kubectl create -f rbac-config.yaml
    41  $ helm init --service-account tiller
    42  ```
    43  
    44  ## Example: Service account restricted to a namespace
    45  In the example above, we gave Tiller admin access to the entire cluster. You are not at all required to give Tiller cluster-admin access for it to work. Instead of specifying a ClusterRole or a ClusterRoleBinding, you can specify a Role and RoleBinding to limit Tiller's scope to a particular namespace.
    46  
    47  ```console
    48  $ kubectl create namespace tiller-world
    49  namespace "tiller-world" created
    50  $ kubectl create serviceaccount tiller --namespace tiller-world
    51  serviceaccount "tiller" created
    52  ```
    53  
    54  Define a Role like in `role-tiller.yaml`:
    55  ```yaml
    56  kind: Role
    57  apiVersion: rbac.authorization.k8s.io/v1beta1
    58  metadata:
    59    namespace: tiller-world
    60    name: tiller-manager
    61  rules:
    62  - apiGroups: ["", "extensions", "apps"]
    63    resources: ["deployments", "replicasets", "pods", "configmaps", "secrets", "namespaces"]
    64    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"]
    65  ```
    66  
    67  ```console
    68  $ kubectl create -f role-tiller.yaml
    69  role "tiller-manager" created
    70  ```
    71  
    72  In `rolebinding-tiller.yaml`,
    73  ```yaml
    74  kind: RoleBinding
    75  apiVersion: rbac.authorization.k8s.io/v1beta1
    76  metadata:
    77    name: tiller-binding
    78    namespace: tiller-world
    79  subjects:
    80  - kind: ServiceAccount
    81    name: tiller
    82    namespace: tiller-world
    83  roleRef:
    84    kind: Role
    85    name: tiller-manager
    86    apiGroup: rbac.authorization.k8s.io
    87  ```
    88  
    89  ```console
    90  $ kubectl create -f rolebinding-tiller.yaml
    91  rolebinding "tiller-binding" created
    92  ```
    93  
    94  ```console
    95  $ helm init --service-account tiller --tiller-namespace tiller-world
    96  $HELM_HOME has been configured at /Users/awesome-user/.helm.
    97  
    98  Tiller (the helm server side component) has been installed into your Kubernetes Cluster.
    99  Happy Helming!
   100  
   101  $ helm install nginx --tiller-namespace tiller-world --namespace tiller-world
   102  NAME:   wayfaring-yak
   103  LAST DEPLOYED: Mon Aug  7 16:00:16 2017
   104  NAMESPACE: tiller-world
   105  STATUS: DEPLOYED
   106  
   107  RESOURCES:
   108  ==> v1/Pod
   109  NAME                  READY  STATUS             RESTARTS  AGE
   110  wayfaring-yak-alpine  0/1    ContainerCreating  0         0s
   111  ```
   112