Last active
November 8, 2018 17:13
-
-
Save scottrigby/ab8484b098b2229ebce4ac7d924c9d78 to your computer and use it in GitHub Desktop.
RBAC for Tiller script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # See https://github.com/kubernetes/helm/blob/master/docs/rbac.md#tiller-and-role-based-access-control | |
| echo 'apiVersion: v1 | |
| kind: ServiceAccount | |
| metadata: | |
| name: tiller | |
| namespace: kube-system | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: tiller | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: cluster-admin | |
| subjects: | |
| - kind: ServiceAccount | |
| name: tiller | |
| namespace: kube-system' | kubectl create -f - && helm init --service-account tiller | |
| # See https://engineering.bitnami.com/articles/helm-security.html | |
| kubectl -n kube-system delete service tiller-deploy | |
| kubectl -n kube-system patch deployment tiller-deploy --patch ' | |
| spec: | |
| template: | |
| spec: | |
| containers: | |
| - name: tiller | |
| ports: [] | |
| command: ["/tiller"] | |
| args: ["--listen=localhost:44134"] | |
| ' |
To uninstall the above, do:
helm reset --force
kubectl delete sa tiller --namespace kube-system
kubectl delete clusterrolebindings tiller
I still use this with each new helm installation. Thanks again for sharing it!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bash <(curl -fsSL https://goo.gl/KV7QNJ)^ This one-line raw gist runs the raw gist script above.