CODEWITHSUNDEEP
kuberneteskubernetes-helm
KilyenOrs
KilyenOrs

Reputation: 1496

ClusterRole exists and cannot be imported into the current release?

I am trying to install the same chart two times in the same cluster in two different namespaces. However I am getting this error:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterRole "nfs-provisioner" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "namespace2": current value is "namespace1"

As I understood cluster roles suposed to be independet from the namespace, so I found this contradictory. We are using helm3

Upvotes: 7

Views: 11127

Answers (2)

matt_j
matt_j

Reputation: 4614

I decided to provide a Community Wiki answer that may help other people facing a similar issue.
I assume you want to install the same chart multiple times but get the following error:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterRole "<CLUSTERROLE_NAME>" in namespace "" exists and cannot be imported into the current release: ...


First, it's important to decide if we really need ClusterRole instead of Role. As we can find in the Role and ClusterRole documentation:

If you want to define a role within a namespace, use a Role; if you want to define a role cluster-wide, use a ClusterRole.

Second, we can use the variable name for ClusterRole instead of hard-coding the name in the template:

For example, instead of:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: clusterrole-1
...

Try to use something like:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Values.clusterrole.name }}
...

Third, we can use the lookup function and the if control structure to skip creating resources if they already exist.

Take a look at a simple example:

$ cat clusterrole-demo/values.yaml
clusterrole:
  name: clusterrole-1

$ cat clusterrole-demo/templates/clusterrole.yaml
{{- if not (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" .Values.clusterrole.name) }}

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ .Values.clusterrole.name }}
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
{{- end }}

In the example above, if ClusterRole clusterrole-1 already exits, it won’t be created.

Upvotes: 8

Daein Park
Daein Park

Reputation: 4693

ClusterRole sets permission across your Kubernetes cluster, not for particular namespace. It think you misunderstand with Role. You can see further information of the differences between ClusterRole and Role here, Role and ClusterRole.

A Role always sets permissions within a particular namespace; when you create a Role, you have to specify the namespace it belongs in.

ClusterRole, by contrast, is a non-namespaced resource. The resources have different names (Role and ClusterRole) because a Kubernetes object always has to be either namespaced or not namespaced; it can't be both.

Upvotes: 1

Related Questions