Helm error: cannot list configmaps in the namespace “kube-system”
This tutorial guides you on how to fix kubernetes Error: configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list configmaps in the namespace “kube-system” while running helm init command.
Helm error: cannot list configmaps in the namespace “kube-system”
I tried to install Tiller by following the official documentation.
Note, Tiller is the server portion of Helm and Tiller runs inside your Kubernetes cluster. And Tiller stores its data in Kubernetes configmaps i.e., by default tiller stores release information in configmaps in the namespace where it is running. After installing tiller when I tried to run helm init I got the following error.
$ helm list Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
Solution : Error configmaps is forbidden
There is a special note for RBAC users in the documentation. Most cloud providers enable a feature called Role-Based Access Control – RBAC for short. If your cloud provider enables this feature, you will need to create a service account for Tiller with the right roles and permissions to access resources.
Also, check kubernetes distribution guide for any further instructions on using Helm with your cloud provider. I was trying to install tiller on Google Cloud Platform (GCP). So I did check on how to run Tiller in an RBAC-enabled Kubernetes cluster.
You can create serviceaccount with cluster-admin role , then deploy Tiller in a namespace with restricted deployment so that access provided to the resources only to that namespace as shown below. Afterwards you can run helm init to install/upgrade the tiller.
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller --upgrade
Conclusion
That’s it. A service account has been created in the namespace and cluster-admin role was granted to the specific service account to ensure that our application is operating within the scope that we have specified. Finally, we added the account that we want tiller to use using the following command.
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
At last, run helm init command as shown above. Try to run helm list, the error configmaps is forbidden: User “system:serviceaccount:kube-system:default” cannot list configmaps in the namespace “kube-system” should have gone away !!
Hope it helped 🙂
You’ll also like:
- List all versions of helm chart available using helm search repo
- Docker EXPOSE Port only to the Host on Google Cloud
- Get Docker Container’s IP Address from the Host
- Copy Files between Host and Docker Container
- What is ImagePullBackOff status on a Kubernetes pod ?
- Run ionic app in android studio emulator
- List all Containers running in Kubernetes Pod
- How to find which users belongs to a specific group in linux
- Delete or uninstall specific helm chart resource
- Error: helm install unknown flag: –name
- Build a Docker Image with a Dockerfile and Cloud Build in GCP?
- How to create GCP project on Google Cloud Platform
- no matches for kind “Deployment” in version “extensions/v1beta1”
- Helm 3 – Not a valid chart repository or cannot be reached: failed to fetch : 404 Not Found
- Is it possible to change Google Cloud Platform Project ID ?
- Purpose of –purge flag in helm delete command ?
- Make manual payment or pay early for your Google Cloud Platform charges
- Open specific port such as 8082 in Google Compute Engine
- Delete or unset clusters contexts and users entries from kubectl config