0

I'm deploying my chart with helm like this:

helm upgrade --install --namespace newnamespace --create-namespace testing mychart

My understanding is everything should be deployed into newnamespace

I have this in my chart:

apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "mychart.serviceAccountName" . }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: {{ include "mychart.serviceAccountName" . }} rules: - apiGroups: [""] resources: ["services","endpoints","pods"] verbs: ["get","watch","list"] - apiGroups: ["extensions","networking.k8s.io"] resources: ["ingresses"] verbs: ["get","watch","list"] - apiGroups: [""] resources: ["nodes"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: {{ include "mychart.serviceAccountName" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "mychart.serviceAccountName" . }} subjects: - kind: ServiceAccount name: {{ include "mychart.serviceAccountName" . }}

When deployed I get this error:

Error: ClusterRoleBinding.rbac.authorization.k8s.io "my-service-account" is invalid: subjects[0].namespace: Required value

Then I add this and the deploy works:

... subjects: - kind: ServiceAccount name: {{ include "mychart.serviceAccountName" . }} namespace: {{ .Release.Namespace }}

Why is this? What is this requirement of ClusterRoleBinding? I can't it see the namespace where it's being deployed?

Is it because ClusterRoleBinding is cluster wide it must have the namespace defined in its definition? Are ClusterRoleBinding resources not created in any namespaces? If so where do they live kube-system?

Does this mean that if I deleted the namespace containing my helm release before doing a helm uninstall the ClusterRoleBinding would be left behind?

Improve this question

1 Answer 1

Reset to default
3

ClusterRoleBinding binds the ClusterRole with you service account. ClusterRoleBinding gives the access in cluster-wide. In cluster role you basically tell that what actions can your service account perform. A ClusterRole is a set of permissions that can be assigned to resources within a given cluster.

Now by ClusterRoleBinding you are just binding the ClusterRole with your service account, as service account is a namespace scoped object so you must need to provide the namespace name in your subject as you did in the second part.

btw, ClusterRole is a non-namespaced resource. As far the k8s docs, you can use a ClusterRole to:

  • define permissions on namespaced resources and be granted within individual namespace(s)
  • define permissions on namespaced resources and be granted across all namespaces
  • define permissions on cluster-scoped resources

Another thing will also work is adding the apiGroup like apiGroup: rbac.authorization.k8s.io.

When you created service account you created in basically in default namespace as it is the default thing, here:

apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "mychart.serviceAccountName" . }}

As your last question, ClusterRole is cluster-scoped but ClusterRoleBinding and service account is namespace scoped and as far the rules if you delete a namespace then all the object of that namespace will be gone along with the namespace.

You can see the k8s doc for getting more clear idea.

I found another good tuto

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.