Search code examples
kuberneteskubernetes-helmkubectl

Forbidden User Error on all Helm commands. How to give user access to Helm?

I can't run any helm command without an error saying my user is forbidden. My user is forbidden to the kube-system and the default namespace.

Running something like this: kubectl create serviceaccount --namespace kube-system tiller results in this error:

Error from server (Forbidden): serviceaccounts is forbidden: User "{my-user}" cannot create resource "serviceaccounts" in API group "" in the namespace "kube-system"

Running this: kubectl get serviceaccount [-n kube-system] results in this error:

Error from server (Forbidden): serviceaccounts "[-n" is forbidden: User "cn188854" cannot get resource "serviceaccounts" in API group "" in the namespace "default" Error from server (Forbidden): serviceaccounts "kube-system]" is forbidden: User "cn188854" cannot get resource "serviceaccounts" in API group "" in the namespace "default"

Running this: helm list results in this error:

Error: pods is forbidden: User "{my-user}" cannot list resource "pods" in API group "" in the namespace "kube-system"

I'm guessing my user doesn't have access to the kube-system namespace, but I wouldn't see why not and I don't know how to give myself access to that namespace. I've reviewed several other posts and questions (such as this one on stackoverflow and this one on github). But I can't attempt any of their solutions because I always get a forbidden user on the helm command.

I'd appreciate any help, and would really appreciate some explanations as to why my user wouldn't have access at all like this.

Solution

  • After a lot of research and asking around, I've discovered that my user literally doesn't have access to the default or the kube-system namespaces in the cluster. I have to specify the cluster in which I have access. Access depends on how the cluster you are using is set-up. (My group cluster was set-up this way for security.)

    So if anyone else is experiencing this problem, check what cluster you're using and what permissions you have. If you need to specify the namespace, like I do, you can add this argument to your command: -n={name-of-namespace-you're-using}

    For example, I can't run kubectl get pods because I don't have access to the default namespace. But if I specify a namespace I do have access to, like this: kubectl get pods -n={name-of-namespace}, then I'll be able to see my pods.

    Sometimes you might also need to specify the tiller, usually with by adding an argument like this: --tiller-namespace={name-of-tiller} Make sure to check the options for the commands on helm docs, or on the kubectl doc so you'll know what arguments to use.