github.com/amy/helm@v2.7.2+incompatible/docs/service_accounts.md (about) 1 # Tiller and Service Accounts 2 3 In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that your application is operating in the scope that you have specified. Read more about service account permissions [in the official Kubernetes docs](https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions). Bitnami also has a fantastic guide for [configuring RBAC in your cluster](https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/) that takes you through RBAC basics. 4 5 You can add a service account to Tiller using the `--service-account <NAME>` flag while you're configuring helm. As a prerequisite, you'll have to create a role binding which specifies a [role](https://kubernetes.io/docs/admin/authorization/rbac/#role-and-clusterrole) and a [service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) name that have been set up in advance. 6 7 Once you have satisfied the pre-requisite and have a service account with the correct permissions, you'll run a command like this: `helm init --service-account <NAME>` 8 9 ## Example: Service account with cluster-admin role 10 11 ```console 12 $ kubectl create serviceaccount tiller --namespace kube-system 13 ``` 14 15 In `rbac-config.yaml`: 16 ```yaml 17 apiVersion: v1 18 kind: ServiceAccount 19 metadata: 20 name: tiller 21 namespace: kube-system 22 --- 23 apiVersion: rbac.authorization.k8s.io/v1beta1 24 kind: ClusterRoleBinding 25 metadata: 26 name: tiller 27 roleRef: 28 apiGroup: rbac.authorization.k8s.io 29 kind: ClusterRole 30 name: cluster-admin 31 subjects: 32 - kind: ServiceAccount 33 name: tiller 34 namespace: kube-system 35 ``` 36 37 _Note: The cluster-admin role is created by default in a Kubernetes cluster, so you don't have to define it explicitly._ 38 39 ```console 40 $ kubectl create -f rbac-config.yaml 41 $ helm init --service-account tiller 42 ``` 43 44 ## Example: Service account restricted to a namespace 45 In the example above, we gave Tiller admin access to the entire cluster. You are not at all required to give Tiller cluster-admin access for it to work. Instead of specifying a ClusterRole or a ClusterRoleBinding, you can specify a Role and RoleBinding to limit Tiller's scope to a particular namespace. 46 47 ```console 48 $ kubectl create namespace tiller-world 49 namespace "tiller-world" created 50 $ kubectl create serviceaccount tiller --namespace tiller-world 51 serviceaccount "tiller" created 52 ``` 53 54 Define a Role like in `role-tiller.yaml`: 55 ```yaml 56 kind: Role 57 apiVersion: rbac.authorization.k8s.io/v1beta1 58 metadata: 59 namespace: tiller-world 60 name: tiller-manager 61 rules: 62 - apiGroups: ["", "extensions", "apps"] 63 resources: ["deployments", "replicasets", "pods", "configmaps", "secrets", "namespaces"] 64 verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # You can also use ["*"] 65 ``` 66 67 ```console 68 $ kubectl create -f role-tiller.yaml 69 role "tiller-manager" created 70 ``` 71 72 In `rolebinding-tiller.yaml`, 73 ```yaml 74 kind: RoleBinding 75 apiVersion: rbac.authorization.k8s.io/v1beta1 76 metadata: 77 name: tiller-binding 78 namespace: tiller-world 79 subjects: 80 - kind: ServiceAccount 81 name: tiller 82 namespace: tiller-world 83 roleRef: 84 kind: Role 85 name: tiller-manager 86 apiGroup: rbac.authorization.k8s.io 87 ``` 88 89 ```console 90 $ kubectl create -f rolebinding-tiller.yaml 91 rolebinding "tiller-binding" created 92 ``` 93 94 ```console 95 $ helm init --service-account tiller --tiller-namespace tiller-world 96 $HELM_HOME has been configured at /Users/awesome-user/.helm. 97 98 Tiller (the helm server side component) has been installed into your Kubernetes Cluster. 99 Happy Helming! 100 101 $ helm install nginx --tiller-namespace tiller-world --namespace tiller-world 102 NAME: wayfaring-yak 103 LAST DEPLOYED: Mon Aug 7 16:00:16 2017 104 NAMESPACE: tiller-world 105 STATUS: DEPLOYED 106 107 RESOURCES: 108 ==> v1/Pod 109 NAME READY STATUS RESTARTS AGE 110 wayfaring-yak-alpine 0/1 ContainerCreating 0 0s 111 ``` 112