Installing JupyterHub with Helm 3 - Kubernetes Cluster Roles

Hello everyone!

I have been trying to install JupyterHub on a custom Kubernetes cluster in a specific namespace. We are using Helm 3 as all the rest of our packages are installed with it. However, we are getting this error when installing:

$ helm install jupyterhub --namespace adri-jupyter -f ../../config_final.yaml . -v 10

...
Error: rendered manifests contain a resource that already exists. Unable to continue with install: could not get information about the resource: clusterroles.rbac.authorization.k8s.io "jupyterhub-user-scheduler-complementary" is forbidden: User "u-qgt8f" cannot get resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "p-s6jxq-namespaces-edit" not found

I guess it has something to do with the roles that are assigned to me as an owner of the namespace, since I get a similar error when running $ kubectl get clusterrole --namespace adri-jupyter

Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "u-qgt8f" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "p-s6jxq-namespaces-edit" not found

We are dealing with some configurations issues regarding user’s roles as we do not want full control of the kubernetes cluster for users that are allowed to be a specific namespace’s owners. This way, we are trying to figure out which roles are required to install the JupyterHub on Kubernetes.

My main concerns are:

  • How do we solve this issue?
  • What RBAC roles does a user need in order to install JupyterHub?

Thanks everyone!

You can see all the Kubernetes manifest templates here:

I think the only ClusterRole is in the user scheduler:


This is optional, and only useful if you have an autoscaling cluster. You can disable it by setting scheduling.userScheduler.enabled=false:
https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/optimization.html

Hi @manics thanks for the answer!

So then, If I were a user of a Kubernetes cluster who has been asigned ownership of a namespace, and I would like to install jupyterhub, how does the manager of the cluster create me that role? I mean, does he need any kind of yaml (like the one you posted) to be executed or is there any kubectl command for this ??

Thank you and BR!

That ClusterRole is only useful if your cluster supports autoscaling. Since you’re on a shared cluster it’s probably safest to disable it unless you understand exactly how the userScheduler behaves.

If you do want to go ahead anyway you’d have to modify the Helm Chart to use an existing ClusterRole that you’ve created manually. In general Helm assumes it has full control over all resources in its templates.

Thanks for the feedback.

As of now we will disable the user-scheduler, later on we will probaly enable it, when we have full control of the cluster.

Cheers

1 Like