When deploying a service via a Helm Chart, the installation failed because the tiller
serviceaccount was not allowed to create a ServiceMonitor
resource.
Note:
ServiceMonitor
is a CRD defined by the Prometheus Operator to automagically get metrics of running containers in Pods.I wanted to verify the permissions of the tiller
serviceaccount.
kubectl
has the auth can-i
command, queries like these (see below) always return no
.
kubectl auth can-i list deployment --as=tiller
kubectl auth can-i list deployment --as=staging:tiller
What is the proper way to check permissions for a serviceaccount?
How to enable the tiller
account to create a ServiceMonitor resource?
After trying lots of things and Googling all over the universe I finally found this blogpost about Securing your cluster with RBAC and PSP where an example is given how to check access for serviceaccounts.
The correct command is:
kubectl auth can-i <verb> <resource> --as=system:serviceaccount:<namespace>:<serviceaccountname> [-n <namespace>]
To check whether the tiller
account has the right to create a ServiceMonitor
object:
kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging
Note: to solve my issue with the tiller
account, I had to add rights to the servicemonitors
resource in the monitoring.coreos.com
apiGroup. After that change, the above command returned yes
(finally) and the installation of our Helm Chart succeeded.
Updated tiller-manager
role:
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
labels:
org: ipos
app: tiller
annotations:
description: "Role to give Tiller appropriate access in namespace"
ref: "https://docs.helm.sh/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-only-in-that-namespace"
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- '*'