gke-letsencrypt
gke-letsencrypt copied to clipboard
ahmetb
Installing cert manager throws error
Error: namespaces "kube-system" is forbidden: User "system:serviceaccount:kube-system:default" cannot get namespaces in the namespace "kube-system"
I have followed all the instructions up to this point. I have ran them twice and gotten confirmation that they were properly installed.
I do have permissions. After searching around quite a bit I found that if I do this before it works
kubectl create serviceaccount -n kube-system tiller
kubectl create clusterrolebinding tiller-binding \
--clusterrole=cluster-admin \
--serviceaccount kube-system:tiller
helm init --service-account tiller
kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=cluster-admin --serviceaccount=kube-system:default
helm repo update
so I had to create that extra role binding. My understanding is weak at this point but this did allow me to go on with the tutorial. You may want to add that to the docs.
Thanks.
Hmm so the instructions at https://github.com/ahmetb/gke-letsencrypt/blob/master/10-install-helm.md were not enough?
I'm not sure why we need to give kube-system:default user a permission as well. Maybe that's a recent change. What's your GKE/Kubernetes version?
No the instructions were not enough in that when it came to install the cert manager I got the permission error. My GKE version is 1.10.9-gke.5
I just tried this on a clean 1.10.6-gke.11 cluster (technically the same as yours since both are 1.10) and it didn't require me to do anything with --serviceaccount=kube-system:default.
I'll open this issue as others may also run into it, but as far as I can tell, it doesn't warrant a change.
I bumped into this same issue on GKE 1.11.5-gke.4. @timuckun solution worked for me.
Don't we have the same steps listed in that comment already in https://github.com/ahmetb/gke-letsencrypt/blob/master/10-install-helm.md ? I don't really understand where the problem comes from (existing helm installations?)