Five Minute Tip: Kubernetes helm in multiple namespaces
A while ago I’ve upgraded the infrastructure to work in Kubernetes and having the application separated though namespaces. I’ve created deployment files and use helm to install applications in the cluster. I’ve found that using helm in multiple namespaces requires a bit extra editing to make it work.
Assuming helm client has been installed and ready to go. We’ll create a service account:
kubectl -n myapp create serviceaccount tiller
This basically creates a serviceaccount called tiller in a namespace called myapp. Now will need to create a cluster role binding for the account.
kubectl create clusterrolebinding tiller -n myapp --clusterrole=cluster-admin --serviceaccount=myapp:tiller
The –clusterrole=cluster-admin is defining what role is the account going to have. In this case, a cluster-admin role. The account can go beyond a namespace and view resources cluster-wide. The last part –serviceaccount=myapp:some-tiller-account tells Kubernetes where to install the service account. In this case, inside the namespace myapp.
Then install helm into that namespace:
helm init --service-account tiller --tiller-namespace myapp
Oh wait, what if we need helm to work in multiple namespaces? That easy! We can recycle the last command and installed a to install a service account into a different namespace:
kubectl create clusterrolebinding some-tiller-account -n mydata --clusterrole=cluster-admin --serviceaccount=mydata:tiller
Next, will need to update the clusterrolebinding so that helm can see what’s inside of another namespace.
kubectl edit clusterrolebinding tiller -n myapp Origonal: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: tiller namespace: myapp Updated: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tiller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: tiller namespace: myapp - <span style="color: rgb(255, 0, 0);" data-mce-style="color: #ff0000;">kind: ServiceAccount</span> <span style="color: rgb(255, 0, 0);" data-mce-style="color: #ff0000;"> name: tiller</span> <span style="color: rgb(255, 0, 0);" data-mce-style="color: #ff0000;"> namespace: mydata</span>
That it! When you do a helm install or helm ls you should beable to see inside both namespaces.