helm install istio returns forbidden error

1
votes

I am trying to install istio using helm. I get an error "forbidden: attempt to grant extra privileges". I am using Azure AKS cluster.

Here is what I've tried with no luck.

  • Using --set rbac.create=false
  • Using a brand new cluster with RBAC turned off
  • Created cluster role binding for cluster admin for the current user

[root@59373cb6f571 codebase]# helm install k8s/istio/helm/istio --name istio --namespace istio-system --set servicegraph.enabled=true --set grafana.enabled=true Error: release istio failed: clusterroles.rbac.authorization.k8s.io "istio-galley-istio-system" is forbidden: attempt to grant extra privileges: [{[] [admissionregistration.k8s.io] [validatingwebhookconfigurations] [] []} {[get] [config.istio.io] [] [] []} {[list] [config.istio.io] [] [] []} {[watch] [config.istio.io] [] [] []} {[get] [] [deployments] [istio-galley] []} {[get] [] [endpoints] [istio-galley] []}] user=&{system:serviceaccount:kube-system:default 8134fa11-dd8d-11e8-967b-56582c65801d [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]

1
kubernetesistiokubernetes-helm

1 Answers

1
votes

From the error messages, the Tiller, component of helm that running in the cluster, use the default serviceaccount in the kube-system namespace to create resources in istio-system namespace, but don't have enough privilege.

So you can configure Tiller to use another serviceaccount, and provide cluster admin privilege to that serviceaccount, or continue to use default serviceaccount, and provide cluster admin to default serviceaccount. since all Pod startuped in this namespace will use default serviceaccount by default, give full privilege to default serviceaccount is not recommended.

for example, excerpt from helm document: 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system