3.4 KiB
Configuring and initializing Helm Tiller
To make use of Helm, you must have a Kubernetes cluster. Ensure you can
access your cluster using kubectl
.
Helm consists of two parts, the helm
client and a tiller
server inside Kubernetes.
NOTE: Note: If you are not able to run Tiller in your cluster, for example on OpenShift, it is possible to use Tiller locally and avoid deploying it into the cluster. This should only be used when Tiller cannot be normally deployed.
Initialize Helm and Tiller
Tiller is deployed into the cluster and interacts with the Kubernetes API to deploy your applications. If role based access control (RBAC) is enabled, Tiller will need to be granted permissions to allow it to talk to the Kubernetes API.
If RBAC is not enabled, skip to initalizing Helm.
If you are not sure whether RBAC is enabled in your cluster, or to learn more, read through our RBAC documentation.
Preparing for Helm with RBAC
Helm's Tiller will need to be granted permissions to perform operations. These instructions grant cluster wide permissions, however for more advanced deployments permissions can be restricted to a single namespace. To grant access to the cluster, we will create a new tiller
service account and bind it to the cluster-admin
role.
Create a file rbac-config.yaml
with the following contents:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
Next we need to connect to the cluster and upload the RBAC config.
Upload the RBAC config
Some clusters require authentication to use kubectl
to create the Tiller roles.
Upload the RBAC config as an admin user (GKE)
For GKE, you need to grab the admin credentials:
gcloud container clusters describe <cluster-name> --zone <zone> --project <project-id> --format='value(masterAuth.password)'
This command will output the admin password. We need the password to authenticate with kubectl
and create the role.
kubectl --username=admin --password=xxxxxxxxxxxxxx create -f rbac-config.yaml
Upload the RBAC config (Other clusters)
For other clusters like Amazon EKS, you can directly upload the RBAC configuration.
kubectl create -f rbac-config.yaml
Initialize Helm
Deploy Helm Tiller with a service account:
helm init --service-account tiller
If your cluster previously had Helm/Tiller installed, run the following to ensure that the deployed version of Tiller matches the local Helm version:
helm init --upgrade --service-account tiller
Patching Helm Tiller for Amazon EKS
Helm Tiller requires a flag to be enabled to work properly on Amazon EKS:
kubectl -n kube-system patch deployment tiller-deploy -p '{"spec": {"template": {"spec": {"automountServiceAccountToken": true}}}}'