yaml kubernetes-helm azure-aks azure-deployment azure-resource-group

Getting Kubernetes manifest error when install using Helm command

When doing helm install -f values.yaml xxx-xxx-Agent xxxx-repo/xxx-agent --namespace xxxxx-dev getting below error

'''
Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: secrets "azpsecretxxx" is forbidden: User "xxxxxxxxxxxx@xxxxx.com" cannot get resource "secrets" in API group "" in the namespace "xxxxxx-dev"
'''

PS: I have access to my namespace. I have googled various forums but not able to understand it and landed here. I am new to AKS and Helm. Can anyone please share your insights. Thanks in advance

Solution

The error is not related to Helm but to Kubernetes directly and is telling you that you do not have permission to manipulate secrets in the namespace you are. What role do you have?

For example, if you are not "root" in the cluster or the namespace, someone should grant you permission by creating a ClusterRole and assigning you to that role, for example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: secret-writer
rules:
- apiGroups: [""]
  #
  # at the HTTP level, the name of the resource for accessing Secret
  # objects is "secrets"
  resources: ["secrets"]
  verbs: ["get", "watch", "list", "update", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: RoleBinding
metadata:
  name: write-secrets
  namespace: YOUR_NAMESPACE
subjects:
- kind: User
  name: YOUR_USER # Name is case sensitive
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: secret-writer
  apiGroup: rbac.authorization.k8s.io

Or just ask to be ClusterAdmin :D

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: aks-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: YOUR_USER_NAME

More details and examples here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

By the way, if this is an AKS, have you tried to use the --admin option? Like this:

az aks get-credentials --resource-group resource_group --name cluster_name --admin

If you have the Azure IAM rights, this will put you in the Admin mode automatically and it will give you full rights on the entire cluster.