User "system:serviceaccount:tiller-world:tiller" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope

Question

I'm trying to follow TILLER AND ROLE-BASED ACCESS CONTROL, yet running into install fails at the end, can't figure out what I missed(

$ kubectl create namespace tiller-world
namespace/tiller-world created
$ kubectl create serviceaccount tiller --namespace tiller-world
serviceaccount/tiller created
$ kubectl create -f role-tiller.yaml
role.rbac.authorization.k8s.io/tiller-manager created
$ kubectl create -f rolebinding-tiller.yaml
rolebinding.rbac.authorization.k8s.io/tiller-binding created
$ helm init --service-account tiller --tiller-namespace tiller-world
$HELM_HOME has been configured at /home/toor/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy.
To prevent this, run `helm init` with the --tiller-tls-verify flag.
For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation
Happy Helming!
$ 
$ helm version
Client: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.1", GitCommit:"02a47c7249b1fc6d8fd3b94e6b4babf9d818144e", GitTreeState:"clean"}
$ 
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "elastic" chart repository
...Successfully got an update from the "incubator" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈ 
$ 
$ helm install nginx --tiller-namespace tiller-world --namespace tiller-world
Error: failed to download "nginx" (hint: running `helm repo update` may help)
$ 

I also tried to install elasticsearch, but with different error((

$ helm install --name elasticsearch --namespace=tiller-world elastic/elasticsearch --version 7.2.0
Error: release elasticsearch failed: namespaces "tiller-world" is forbidden: User "system:serviceaccount:kube-system:default" cannot get resource "namespaces" in API group "" in the namespace "tiller-world"
$ 

Please advise.

---

@asktyagi

$ helm search nginx
NAME                        CHART VERSION   APP VERSION DESCRIPTION                                                 
stable/nginx-ingress        1.8.1           0.24.1      An nginx Ingress controller that uses ConfigMap to store ...
stable/nginx-ldapauth-proxy 0.1.2           1.13.5      nginx proxy with ldapauth                                   
stable/nginx-lego           0.3.1                       Chart for nginx-ingress-controller and kube-lego            
stable/gcloud-endpoints     0.1.2           1           DEPRECATED Develop, deploy, protect and monitor your APIs...
$ 
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace tiller-world
Error: release edgy-anaconda failed: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot create resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
$ 

role-tiller.yaml:

$ cat role-tiller.yaml 
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-manager
  namespace: tiller-world
rules:
- apiGroups: ["", "batch", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
$ 

rolebinding-tiller.yaml:

$ cat rolebinding-tiller.yaml 
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: tiller-binding
  namespace: tiller-world
subjects:
- kind: ServiceAccount
  name: tiller
  namespace: tiller-world
roleRef:
  kind: Role
  name: tiller-manager
  apiGroup: rbac.authorization.k8s.io
$ 

helm-user.yaml:

$ cat helm-user.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: helm
  namespace: helm-world
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tiller-user
  namespace: tiller-world
rules:
- apiGroups:
  - ""
  resources:
  - pods/portforward
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-user-binding
  namespace: tiller-world
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-user
subjects:
- kind: ServiceAccount
  name: helm
  namespace: helm-world
$ 

---

@Yahir Hernández

$ cat rbac-config.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
$ kubectl create -f rbac-config.yaml 
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ 
$ helm install stable/nginx-ingress --tiller-namespace tiller-world --namespace kube-system
Error: release wintering-chinchilla failed: namespaces "kube-system" is forbidden: User "system:serviceaccount:tiller-world:tiller" cannot get resource "namespaces" in API group "" in the namespace "kube-system"
$ 
$ helm install stable/nginx-ingress --namespace kube-system
Error: no available release name found
$ 

Answer 1

The first Nginx download error seems to be related to "nginx" not being available in the stable channel:

$ helm repo list|grep stable

For your case in particular, it seems that it should start with "stable/nginx...", matching the helm search nginx results.

The second attempt fails because you have create Roles instead of Cluster Roles and the chart resources might need authorization at cluster level rather than namespace level.

From the documentation:

A role can be defined within a namespace with a Role, or cluster-wide with a ClusterRole.

You can use a ClusterRole instead to deploy charts that need cluster-wide permissions.