No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hmmm, interesting. Let me take a look at the chart.

Looking at the stable datadog template, it doesn't seem to reference `.Release.Namespace` anywhere. What's the precise command you're using to install the chart?

helm install --name datadog stable/datadog --tiller-namespace=kube-tools --namespace=kube-tools -f override.yaml

I have used a datadog namespace too w/o issue. I can update the chart with that key

Possible that we have (super/god) tiller in that namespace and this is tillerless

don't waste anymore time on it, I will mess with the chart.

<@UC75N2B9R> I can take a look at this, what is the helm chart version?

I think I got it, just running into an RBAC perms deal i GKE

<@UC75N2B9R> Oh I think I know what’s happening. What we’re doing is equivalent to `helm template`, rather than `helm install`. So if you’re expecting Tiller to do something :sparkles: magic :sparkles: then it won’t get done.

I will be curious to see if you have feedback about how we should be presenting this to users…

will do. I was using helm with a `god` tiller so it could create the roles and rolebindings. that is the part I am working through now using tillerless.

You probably will have to do that work anyway, because they’re getting rid of Tiller :slightly_smiling_face:

Since I was using tiller that had a cluster admin role, I had not granted those perms to my GKE user

```
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user [USER_ACCOUNT]
```

You must grant your user the ability to create roles in Kubernetes by running the following command. [USER_ACCOUNT] is the user's email address:

how did you figure this out <@UC75N2B9R>? Maybe we can bake it into the status messages. :slightly_smiling_face:

I was under the assumption it was running as my account since tiller was out of the picture. Then <@UCFDP1LUR> mentioned about my email address for GKE and roles

I will try this out tomorrow on EKS, as that we are using SAML and mapping to groups/roles in k8s

that whole stack GKE auth stack is super confusing and secretly my mission is to make all auth errors from it, trivially debuggable.

I am new to GKE, so those small auth differences and I was testing on home/lab stuff.

Yeah, for our GKE library we have to generate a kubeconfig file that is compliant with their undocumented auth spec, and it was a total nightmare.

Very unpleasant, as there is no real way to debug it, except to read code and guess.

exactly, I was googling the error, but it wasn't much help