kunernets使用helm安装tiller的问题总结

《使用kubeadm安装Kubernetes 1.15》原文

Helm的安装

Helm由客户端命helm令行工具和服务端tiller组成，Helm的安装十分简单。下载helm命令行工具到master节点node1的/usr/local/bin下，这里下载的2.14.1版本：

curl -O https://get.helm.sh/helm-v2.14.1-linux-amd64.tar.gz
tar -zxvf helm-v2.14.1-linux-amd64.tar.gz
cd linux-amd64/
cp helm /usr/local/bin/

为了安装服务端tiller，还需要在这台机器上配置好kubectl工具和kubeconfig文件，确保kubectl工具可以在这台机器上访问apiserver且正常使用。这里的node1节点已经配置好了kubectl。

因为Kubernetes APIServer开启了RBAC访问控制，所以需要创建tiller使用的service account: tiller并分配合适的角色给它。详细内容可以查看helm文档中的Role-based Access Control。这里简单起见直接分配cluster-admin这个集群内置的ClusterRole给它。创建 helm-rbac.yaml 文件：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

执行：

kubectl create -f helm-rbac.yaml
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created

接下来使用helm部署tiller:

helm init --service-account tiller --skip-refresh
Creating /root/.helm
Creating /root/.helm/repository
Creating /root/.helm/repository/cache
Creating /root/.helm/repository/local
Creating /root/.helm/plugins
Creating /root/.helm/starters
Creating /root/.helm/cache/archive
Creating /root/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /root/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!

问题1：not find the requested resource

# helm init --service-account tiller --skip-refresh

扫描二维码关注公众号，回复： 16069366 查看本文章

报错：

Error: error installing: the server could not find the requested resource

----服务器无法找到请求的资源

查找了一系列文章最终找到《Kubernetes指南》解决：

对于 Kubernetes v1.16.0 以上的版本，有可能会碰到 Error: error installing: the server could not find the requested resource 的错误。这是由于 extensions/v1beta1 已经被 apps/v1 替代，解决方法是：

kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
helm init --service-account tiller --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' --output yaml | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' | kubectl apply -f -

更新 charts 列表：

helm repo update

结果OK：

问题2：pod STATUS：ImagePullBackOff

查看状态发现 STATUS：ImagePullBackOff

# tiller默认被部署在k8s集群中的 kube-system 这个namespace下
# kubectl get pods -n kube-system

查看pod的事件

# kubectl describe pod tiller-deploy-cf88b7d9-zlb7s -n kube-system

Events:
  Type     Reason     Age                  From               Message
  ----     ------     ----                 ----               -------
  Normal   Scheduled  11m                  default-scheduler  Successfully assigned kube-system/tiller-deploy-cf88b7d9-zlbe2
  Normal   Pulling    8m44s (x4 over 11m)  kubelet, node2     Pulling image "gcr.io/kubernetes-helm/tiller:v2.14.1"
  Warning  Failed     8m29s (x4 over 10m)  kubelet, node2     Failed to pull image "gcr.io/kubernetes-helm/tiller:v2.14.1"or: code = Unknown desc = Error response from daemon: Get https://gcr.io/v2/: net/http: request canceled while waiting foron (Client.Timeout exceeded while awaiting headers)
  Warning  Failed     8m29s (x4 over 10m)  kubelet, node2     Error: ErrImagePull
  Normal   BackOff    8m15s (x6 over 10m)  kubelet, node2     Back-off pulling image "gcr.io/kubernetes-helm/tiller:v2.14.
  Warning  Failed     54s (x35 over 10m)   kubelet, node2     Error: ImagePullBackOff

显然是获取 gcr.io/kubernetes-helm/tiller:v2.14 镜像失败。

需要手动拉取镜像

1、查看可用镜像

[root@node1 linux-amd64]# docker search tiller
NAME                                    DESCRIPTION                                     STARS               OFFICIAL            AUTOMATED
jessestuart/tiller                      Nightly multi-architecture (amd64, arm64, ar…   19                                      [OK]
sapcc/tiller                            Mirror of https://gcr.io/kubernetes-helm/til…   9                                       
ist0ne/tiller                           https://gcr.io/kubernetes-helm/tiller           3                                       [OK]
rancher/tiller                                                                          2                                       
jmgao1983/tiller                        from gcr.io/kubernetes-helm/tiller              2                                       [OK]
ibmcom/tiller                           Docker Image for IBM Cloud private-CE (Commu…   1                                       
luxas/tiller                                                                            1                                       
itinerisltd/tiller                      [Deprecated] Use https://circleci.com/orbs/r…   1                                       
ansibleplaybookbundle/tiller-apb        An APB that deploys tiller for use with helm.   1                                       [OK]
cfplatformeng/tiller-ubuntu                                                             0

我选取的：sapcc/tiller Mirror of https://gcr.io/kubernetes-helm/til…

2、去dockerhub上确认下

3、下载镜像：

docker pull sapcc/tiller:v2.16.3

查看本地镜像

[root@node1 linux-amd64]# docker images
REPOSITORY                                                        TAG                 IMAGE ID            CREATED             SIZE
sapcc/tiller                                                      v2.16.3             6a79bebf87f5        7 days ago          91.2MB
...

4、编辑下配置文件

# kubectl edit deployment tiller-deploy -n kube-system

... 
 template:
    metadata:
      creationTimestamp: null
      labels:
        app: helm
        name: tiller
    spec:
      automountServiceAccountToken: true
      containers:
      - env:
        - name: TILLER_NAMESPACE
          value: kube-system
        - name: TILLER_HISTORY_MAX
          value: "0"
        # image：改成手动下载的镜像的 NAME：TAG
        image: sapcc/tiller:v2.16.3
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /liveness
            port: 44135
            scheme: HTTP
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: tiller
...

另一种方法是

找到镜像拉取策略做以下修改：
imagePullPolicy: Never
IfNotPresent ：如果本地存在镜像就优先使用本地镜像。
Never：直接不再去拉取镜像了，使用本地的；如果本地不存在就报异常了

5、然后更新 charts 列表

helm repo update

7、查看pod状态，Running ！

[root@node1 linux-amd64]# kubectl get pod -n kube-system -l app=helm
NAME                             READY   STATUS    RESTARTS   AGE
tiller-deploy-655f8745d9-zgkwc   1/1     Running   0          98m

参考：

https://blog.frognew.com/2019/07/kubeadm-install-kubernetes-1.15.html#31-helm%E7%9A%84%E5%AE%89%E8%A3%85

https://feisky.gitbooks.io/kubernetes/content/apps/helm.html

https://www.jianshu.com/p/d0cdbb49569b