Home > Software design >  Which rights are missing? Unable to continue with install: could not get information about the resou
Which rights are missing? Unable to continue with install: could not get information about the resou

Time:12-21

I am trying to install loki with helm

$ helm upgrade --install loki grafana/loki-stack

I got the following error msg:

Release "loki" does not exist. Installing it now.

Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: podsecuritypolicies.policy "loki" is forbidden: User "secret user :)" cannot get resource "podsecuritypolicies" in API group "policy" at the cluster scope

$ helm list -all

NAME    NAMESPACE       REVISION        UPDATED STATUS  CHART   APP VERSION

I'm a simple user, but I can make deployment/pods via yaml files manual. I need to use helm charts.

CodePudding user response:

It seems that your User has insufficient privileges to create policies. You need to ask your cluster administrator for more privileges, unless you can assign them yourself to this user. I'm providing example yaml below to achieve that. First, create ClusterRole with proper privileges:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: <role name>
rules:
- apiGroups: ['policy']
  resources: ['podsecuritypolicies']
  verbs:     ['get']

Then, you need to bind this ClusterRole to user(s):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <binding name>
roleRef:
  kind: ClusterRole
  name: <role name>
  apiGroup: rbac.authorization.k8s.io
subjects:
# Authorize all service accounts in a namespace (recommended):
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts:<authorized namespace>
# Authorize specific service accounts (not recommended):
- kind: ServiceAccount
  name: <authorized service account name>
  namespace: <authorized pod namespace>
# Authorize specific users (not recommended):
- kind: User
  apiGroup: rbac.authorization.k8s.io
  name: <authorized user name>

Go here for more detailed explanation.

  • Related