cmattoon / aws-ssm

Populates Kubernetes Secrets from AWS Parameter Store
https://hub.docker.com/r/cmattoon/aws-ssm/
Apache License 2.0
168 stars 32 forks source link

Cannot list secrets at the cluster scope #6

Closed cmosetick closed 6 years ago

cmosetick commented 6 years ago

I could not get your helm install process to work witch looked like this:

make install
helm upgrade --install aws-ssm \
        --namespace aws-ssm \
        --set image.tag=latest \
        --set aws.region=us-east-2 \
        --set aws.access_key=<therealkey \
        --set aws.secret_key=<therealsecretaccesskey> \
         aws-ssm
Error: UPGRADE FAILED: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"
make: *** [install] Error 1

So I created a deployment yaml file instead that places the aws-ssm pod in a namespace called aws-ssm. Here is the log output of that pod:

time="2018-09-04T22:48:02Z" level=info msg="Using config: &{us-east-2 %!s(int=30)   0.0.0.0:9999 aws}"
time="2018-09-04T22:48:02Z" level=info msg=Running...
time="2018-09-04T22:48:02Z" level=info msg="Connected to cluster at https://10.43.0.1:443"
time="2018-09-04T22:48:02Z" level=fatal msg="Error retrieving secrets: secrets is forbidden: User \"system:serviceaccount:aws-ssm:default\" cannot list secrets at the cluster scope"
cmosetick commented 6 years ago

Was able to get the helm install to work when I configured RBAC:

kubectl create serviceaccount --namespace kube-system tiller

kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'