Configuring Tiller Permissions for ServiceMonitor in Prometheus

When deploying a service using a Helm Chart, you may encounter an installation failure due to insufficient permissions for the tiller service account. Specifically, this issue arises when Tiller is unable to create a ServiceMonitor resource, which is a Custom Resource Definition (CRD) utilized by the Prometheus Operator to automatically collect metrics from running containers within Pods.

Understanding the Context

  • ServiceMonitor: This CRD is defined by the Prometheus Operator and is essential for monitoring the metrics of applications running in Kubernetes.
  • Helm Tiller: Tiller operates within a single namespace, and its permissions are managed through Role-Based Access Control (RBAC) using Role and RoleBinding.

Verifying Tiller's Permissions

To check the permissions assigned to the tiller service account, you can use the kubectl command with the auth can-i subcommand. Here are examples of how to verify if Tiller can list deployments:

kubectl auth can-i list deployments --as=system:serviceaccount:staging:tiller

If the command returns no, it indicates that Tiller lacks the necessary permissions.

Granting Permissions to Tiller

To enable the tiller service account to create a ServiceMonitor, you will need to modify the RBAC settings. Here’s how you can do that:

  1. Create a Role that grants the necessary permissions for the ServiceMonitor resource:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: staging
  name: tiller-role
rules:
- apiGroups: ["monitoring.coreos.com"]  # The API group for ServiceMonitor
  resources: ["servicemonitors"]
  verbs: ["create", "get", "list", "watch"]
  1. Bind the Role to the tiller service account:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-role-binding
  namespace: staging
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: staging
roleRef:
  kind: Role
  name: tiller-role
  apiGroup: rbac.authorization.k8s.io

After applying these configurations, you can re-run the permission check:

kubectl auth can-i create servicemonitor --as=system:serviceaccount:staging:tiller -n staging

If successful, this command should return yes, confirming that Tiller can now create ServiceMonitor resources.

Conclusion

By following the steps outlined above, you can effectively manage the permissions of the Tiller service account, enabling it to create ServiceMonitor resources and ensuring that your Prometheus setup can collect metrics from your applications seamlessly.