When you attempt to run the helm list command after installing Helm on your Kubernetes cluster, you may encounter the following error:

helm list
Error: configmaps is forbidden: User "system:serviceaccount:kube-system:default" cannot list configmaps in the namespace "kube-system"

This error indicates that the service account being used does not have the necessary permissions to list configmaps in the kube-system namespace. To resolve this issue, you need to create a service account for Tiller (the server-side component of Helm) and bind it to a cluster role that grants the required permissions.

Steps to Fix the Permission Error

  1. Create a Service Account for Tiller: Execute the following command to create a service account named tiller in the kube-system namespace:

    kubectl create serviceaccount --namespace kube-system tiller

  2. Bind the Service Account to a Cluster Role: Next, bind the tiller service account to the cluster-admin role, which provides full access to the cluster:

    kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller

  3. Patch the Tiller Deployment: Finally, update the Tiller deployment to use the newly created service account:

    kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'

  4. Reinitialize Helm: After completing the above steps, reinitialize Helm with the service account:

    helm init --service-account tiller --upgrade

Conclusion

After following these steps, you should be able to run helm list without encountering the permission error. This configuration ensures that Tiller has the necessary access to manage resources within the Kubernetes cluster.