Error installing loghouse to GKE

[alexclear]

I'm trying to install loghouse to Google Cloud-bases Kubernetes cluster (node pool version is 1.8.3-gke.0).
I'm getting the following error:

➜  cm-scripts git:(master) ✗ helm install -n loghouse loghouse
Error: release loghouse failed: clusterroles.rbac.authorization.k8s.io "fluentd" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["watch"]} PolicyRule{Resources:["pods"], APIGroups:[""], Verbs:["list"]}] user=&{system:serviceaccount:kube-system:default 3d69e5b6-d03a-11e7-9bc4-42010af00233 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/api" "/api/*" "/apis" "/apis/*" "/healthz" "/swagger-2.0.0.pb-v1" "/swagger.json" "/swaggerapi" "/swaggerapi/*" "/version"], Verbs:["get"]}] ruleResolutionErrors=[]
➜  cm-scripts git:(master) ✗

[yurchenkosv]

You'll need to switch on RBAC authorization in your cluster

[alexclear]

@yurchenkosv Kubernetes 1.8.0+ has RBAC enabled by default on GKE (and is RBAC-only), so the problem is a bit different.
My account does not have enough permissions, but I'm not sure what exact permission I need.

[yurchenkosv]

@alexclear In this repository there are the respective roles and their probably enough for starting loghouse.
It seems, that your tiller could not create some objects in cluster or default service account hasn't enough permissions. You'll need to check that your serviceaccount in cluster-admin role binding and SA tillr using in this binding too.

[alexclear]

Okay, it looks like I found a relevant comment in Helm issue tracker: helm/helm#3130 (comment)
So, tiller has to be given extra rights. Will check right now, expect a progress report today.

[alexclear]

Okay, finally:

➜  cm-scripts git:(master) ✗ helm reset
Tiller (the Helm server-side component) has been uninstalled from your Kubernetes Cluster.
➜  cm-scripts git:(master) ✗ kubectl delete -f ./rbac-tiller.yml
serviceaccount "tiller" deleted
clusterrolebinding "tiller-clusterrolebinding" deleted
➜  cm-scripts git:(master) ✗ kubectl create -f ./rbac-tiller.yml
serviceaccount "tiller" created
clusterrolebinding "tiller-clusterrolebinding" created
➜  cm-scripts git:(master) ✗ helm init --service-account tiller
$HELM_HOME has been configured at /Users/chistyakov/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Happy Helming!
➜  cm-scripts git:(master) ✗ helm install -n loghouse loghouse

So, I had to point helm to a pre-created service account when installing it.

[alexclear]

And my rbac-tiller.yml is:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: tiller-clusterrolebinding
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""