Helm upgrade Error- Creating Service Account through helm

Question

Helm upgrade Error- Creating Service Account through helm

Vatika Saxena 0

Starting: Helm upgrade selfhelp-identity-server ============================================================================== Task : Package and deploy Helm charts Description : Deploy, configure, update a Kubernetes cluster in Azure Container Service by running helm commands Version : 0.259.2 Author : Microsoft Corporation Help : https://aka.ms/azpipes-helm-tsg ============================================================================== /opt/hostedtoolcache/helm/3.9.0/x64/linux-amd64/helm upgrade --namespace vsc-prod --install --values /home/vsts/work/1/Values/selfhelp-identity-server-values.yaml --version v13165 --skip-crds selfhelp-identity-server /home/vsts/work/1/a/selfhelp-identity-server-v13165.tgz Release "selfhelp-identity-server" does not exist. Installing it now. Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: failed to check CRD: failed to list CRDs: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:vsc-prod:***" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope ##[error]Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: failed to check CRD: failed to list CRDs: customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:vsc-prod:***" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope Finishing: Helm upgrade selfhelp-identity-server

1 answer

Your answer

Answer 1

Akram Kathimi 1,751 Microsoft Employee

Hi @Vatika Saxena

Thank you for posting this.

The error is related to Kubernetes Role-Based Access Control (RBAC). The service account used to create the CRDs in the helm chart does not have the needed permission.

To resolve the issue, create a ClusterRoleBinding to a custom ClusterRole or a built in role with the permission to create CRDs.

I strongly recommend reading the official Kubernetes Authorization document to understand how it works.

You can test if a service account has the required permission using:

kubectl auth can-i get customresourcedefinitions.apiextensions.k8s.io --as=system:serviceaccount:vsc-prod:<>

Please Accept the answer if the information helped you. This will help us and others in the community as well.

Vatika Saxena 0 Reputation points

2025-07-24T09:34:14.2+00:00
Hey there!
in my values.yaml file it is written that service account will created like this

serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: ""

It should be created when the pipeline ran
But the error indicates that it is using diffrerent firstly i dotn understand which account it is using.
How to give permission than.
Akram Kathimi 1,751 Reputation points Microsoft Employee

2025-07-24T09:40:59.2433333+00:00

This is the service account created when you run helm deployment. The pipeline is using a service account to deploy. You need to check the second one.
Vatika Saxena 0 Reputation points

2025-07-24T09:44:07.29+00:00

I am deploying it through helm pipeline.
I dont understand second one as i am stuck from many days
i can also s hare you the yaml files if you want to look.
Akram Kathimi 1,751 Reputation points Microsoft Employee

2025-07-24T09:50:05.86+00:00

The issue is not with the helm chart. The pipeline agent needs to be authenticated with the cluster to perform any kubectl command. That identity is what you should be focusing on. The pipeline agent permissions on the AKS cluster.
Vatika Saxena 0 Reputation points

2025-07-24T10:04:37.8733333+00:00

I made service connection for that to connect with the cluster and respective namespaces from the Portal
Vatika Saxena 0 Reputation points

2025-07-24T12:45:03.5633333+00:00

I made service connection for that to connect with the cluster and respective namespaces from the Portal
We are running other 2 more pipeline it is working fine on same cluster and same service connection
Ankit Yadav 5 Reputation points Microsoft External Staff Moderator

2025-08-04T18:06:59+00:00
Hello Vatika Saxena,

Could you please answer our below queries so that we can investigate further on it.

Did you create a specific service account for the pipeline, or is it using the default for the namespace?

Can you check what permissions are currently assigned to that ServiceAccount?”)

Was the service account referenced in the values.yaml (for the Helm release) intended to be the same as the one used in the pipeline’s service connection, or are they separate?

Is there any RBAC policy or security hardening on the cluster that restricts access to cluster-scoped resources, even for CI/CD pipelines?

Is the Helm release configured to explicitly use a custom ServiceAccount (via serviceAccount.name), or is it relying on the default account?

Are other pipelines using similar pipelines/service connections, and if so, what RBAC configuration do they use to successfully install CRDs?
VATIKA SAXENA 20 Reputation points

2025-08-05T09:31:29.3633333+00:00

Hello Ankit,

I didn't create any service account manually.

But there is one Service Account with name azdev- like this

Service Account creating through helm is written in the values.yaml

I have give the CRD Permission to that default service account and now the pipeline is working fine for me.

Thanks.

Share via

Helm upgrade Error- Creating Service Account through helm

1 answer

Your answer