Minimal SA for helm client to connect to tiller running inside k8s cluster. Actual permissions needed for deployments are assigned to tiller's own SA and not shown here.
More details for setting up Tiller with RBAC can be found in the helm docs
This works if helm is running inside a pod as well as from CLI. Useful for CI/CD tools like drone-helm
List pods:
kubectl --kubeconfig helm.kubecfg -n util get pod| KUBE_TOKEN=$(kubectl get secret $(kubectl get sa helm -o jsonpath='{.secrets[].name}') -o jsonpath="{.data.token}" | base64 -D) |
| apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: helm | |
| namespace: util | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: Role | |
| metadata: | |
| name: tiller-user | |
| namespace: util | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods/portforward | |
| verbs: | |
| - create | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| verbs: | |
| - list | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: RoleBinding | |
| metadata: | |
| name: tiller-user-helm | |
| namespace: util | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: tiller-user | |
| subjects: | |
| - kind: ServiceAccount | |
| name: helm | |
| namespace: util |
| # See https://github.com/ipedrazas/drone-helm/blob/master/kubeconfig | |
| kind: Config | |
| apiVersion: v1 | |
| clusters: | |
| - cluster: | |
| certificate-authority-data: {{ bla bla }} | |
| server: {{ api server url }} | |
| name: some-cluster | |
| users: | |
| - name: helm-user | |
| user: | |
| token: {{ ENV[KUBE_TOKEN] }} | |
| contexts: | |
| - context: | |
| cluster: some-cluster | |
| namespace: util | |
| user: helm-user | |
| name: some-context | |
| current-context: some-context |