Helm is a package manager for Kubernetes that allows developers and operators to more easily configure and deploy applications on Kubernetes clusters.
In this tutorial we will set up Helm and use it to install, reconfigure, rollback, then delete an instance of the Kubernetes Dashboard application. The dashboard is an official web-based Kubernetes GUI.
For a conceptual overview of Helm and its packaging ecosystem, please read our article An Introduction to Helm.
Note: This tutorial covers the workflow for installing software on Kubernetes clusters with version 2 of the Helm package manager, which requires Tiller. If you’re working with version 3 of Helm follow our tutorial How To Install Software on Kubernetes Clusters with the Helm 3 Package Manager.
For this tutorial you will need:
A Kubernetes 1.8+ cluster with role-based access control (RBAC) enabled.
kubectl command-line tool installed on your local machine, configured to connect to your cluster. You can read more about installing
kubectl in the official documentation.
You can test your connectivity with the following command:
- kubectl cluster-info
If you see no errors, you’re connected to the cluster. If you access multiple clusters with
kubectl, be sure to verify that you’ve selected the correct cluster context:
- kubectl config get-contexts
OutputCURRENT NAME CLUSTER AUTHINFO NAMESPACE * do-nyc1-k8s-example do-nyc1-k8s-example do-nyc1-k8s-example-admin docker-for-desktop docker-for-desktop-cluster docker-for-desktop
In this example the asterisk (
*) indicates that we are connected to the
do-nyc1-k8s-example cluster. To switch clusters run:
- kubectl config use-context context-name
When you are connected to the correct cluster, continue to Step 1 to begin installing Helm.
First we’ll install the
helm command-line utility on our local machine. Helm provides a script that handles the installation process on MacOS, Windows, or Linux.
Change to a writable directory and download the script from Helm’s GitHub repository:
- cd /tmp
- curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get > install-helm.sh
Make the script executable with
- chmod u+x install-helm.sh
At this point you can use your favorite text editor to open the script and inspect it to make sure it’s safe. When you are satisfied, run it:
You may be prompted for your password. Provide it and press
Outputhelm installed into /usr/local/bin/helm Run 'helm init' to configure helm.
Next we will finish the installation by installing some Helm components on our cluster.
Tiller is a companion to the
helm command that runs on your cluster, receiving commands from
helm and communicating directly with the Kubernetes API to do the actual work of creating and deleting resources. To give Tiller the permissions it needs to run on the cluster, we are going to make a Kubernetes
Note: We will bind this
serviceaccount to the cluster-admin cluster role. This will give the
tiller service superuser access to the cluster and allow it to install all resource types in all namespaces. This is fine for exploring Helm, but you may want a more locked-down configuration for a production Kubernetes cluster.
Please refer to the official Helm RBAC documentation for more information on setting up different RBAC scenarios for Tiller.
Create the tiller
- kubectl -n kube-system create serviceaccount tiller
Next, bind the tiller
serviceaccount to the cluster-admin role:
- kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
Now we can run
helm init, which installs Tiller on our cluster, along with some local housekeeping tasks such as downloading the stable repo details:
- helm init --service-account tiller
Output. . . Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster. Please note: by default, Tiller is deployed with an insecure 'allow unauthenticated users' policy. For more information on securing your installation see: https://docs.helm.sh/using_helm/#securing-your-helm-installation Happy Helming!
To verify that Tiller is running, list the pods in thekube-system namespace:
- kubectl get pods --namespace kube-system
OutputNAME READY STATUS RESTARTS AGE . . . kube-dns-64f766c69c-rm9tz 3/3 Running 0 22m kube-proxy-worker-5884 1/1 Running 1 21m kube-proxy-worker-5885 1/1 Running 1 21m kubernetes-dashboard-7dd4fc69c8-c4gwk 1/1 Running 0 22m tiller-deploy-5c688d5f9b-lccsk 1/1 Running 0 40s
The Tiller pod name begins with the prefix
Now that we’ve installed both Helm components, we’re ready to use
helm to install our first application.
Helm software packages are called charts. Helm comes preconfigured with a curated chart repository called stable. You can browse the available charts in their GitHub repo. We are going to install the Kubernetes Dashboard as an example.
helm to install the
kubernetes-dashboard package from the
- helm install stable/kubernetes-dashboard --name dashboard-demo
OutputNAME: dashboard-demo LAST DEPLOYED: Wed Aug 8 20:11:07 2018 NAMESPACE: default STATUS: DEPLOYED . . .
NAME line, highlighted in the above example output. In this case we specified the name
dashboard-demo. This is the name of our release. A Helm release is a single deployment of one chart with a specific configuration. You can deploy multiple releases of the same chart with, each with its own configuration.
If you don’t specify your own release name using
--name, Helm will create a random name for you.
We can ask Helm for a list of releases on this cluster:
- helm list
OutputNAME REVISION UPDATED STATUS CHART NAMESPACE dashboard-demo 1 Wed Aug 8 20:11:11 2018 DEPLOYED kubernetes-dashboard-0.7.1 default
We can now use
kubectl to verify that a new service has been deployed on the cluster:
- kubectl get services
OutputNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE dashboard-demo-kubernetes-dashboard ClusterIP 10.32.104.73 <none> 443/TCP 51s kubernetes ClusterIP 10.32.0.1 <none> 443/TCP 34m
Notice that by default the service name corresponding to our release is a combination of the Helm release name and the chart name.
Now that we’ve deployed the application, let’s use Helm to change its configuration and update the deployment.
helm upgrade command can be used to upgrade a release with a new or updated chart, or update the it’s configuration options.
We’re going to make a simple change to our
dashboard-demo release to demonstrate the update and rollback process: we’ll update the name of the dashboard service to just
dashboard, instead of
kubernetes-dashboard chart provides a
fullnameOverride configuration option to control the service name. Let’s run
helm upgrade with this option set:
- helm upgrade dashboard-demo stable/kubernetes-dashboard --set fullnameOverride="dashboard"
You’ll see output similar to the initial
helm install step.
Check if your Kubernetes services reflect the updated values:
- kubectl get services
OutputNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.32.0.1 <none> 443/TCP 36m dashboard ClusterIP 10.32.198.148 <none> 443/TCP 40s
Our service name has been updated to the new value.
Note: At this point you may want to actually load the Kubernetes Dashboard in your browser and check it out. To do so, first run the following command:
- kubectl proxy
This creates a proxy that lets you access remote cluster resources from your local computer. Based on the previous instructions your dashboard service is named
kubernetes-dashboard and it’s running in the
default namespace. You may now access the dashboard at the following url:
If necessary, substitute your own service name and namespace for the highlighted portions. Instructions for actually using the dashboard are out of scope for this tutorial, but you can read the official Kubernetes Dashboard docs for more information.
Next we’ll look at Helm’s ability to roll back releases.
When we updated our
dashboard-demo release in the previous step, we created a second revision of the release. Helm retains all the details of previous releases in case you need to roll back to a prior configuration or chart.
helm list to inspect the release again:
- helm list
OutputNAME REVISION UPDATED STATUS CHART NAMESPACE dashboard-demo 2 Wed Aug 8 20:13:15 2018 DEPLOYED kubernetes-dashboard-0.7.1 default
REVISION column tells us that this is now the second revision.
helm rollback to roll back to the first revision:
- helm rollback dashboard-demo 1
You should see the following output, indicating that the rollback succeeded:
OutputRollback was a success! Happy Helming!
At this point, if you run
kubectl get services again, you will notice that the service name has changed back to its previous value. Helm has re-deployed the application with revision 1’s configuration.
Next we’ll look into deleting releases with Helm.
Helm releases can be deleted with the
helm delete command:
- helm delete dashboard-demo
Outputrelease "dashboard-demo" deleted
Though the release has been deleted and the dashboard application is no longer running, Helm saves all the revision information in case you want to re-deploy the release. If you tried to
helm install a new
dashboard-demo release right now, you’d get an error:
Error: a release named dashboard-demo already exists.
If you use the
--deleted flag to list your deleted releases, you’ll see that the release is still around:
- helm list --deleted
OutputNAME REVISION UPDATED STATUS CHART NAMESPACE dashboard-demo 3 Wed Aug 8 20:15:21 2018 DELETED kubernetes-dashboard-0.7.1 default
To really delete the release and purge all old revisions, use the
--purge flag with the
helm delete command:
- helm delete dashboard-demo --purge
Now the release has been truly deleted, and you can reuse the release name.
In this tutorial we installed the
helm command-line tool and its
tiller companion service. We also explored installing, upgrading, rolling back, and deleting Helm charts and releases.
For more information about Helm and Helm charts, please see the official Helm documentation.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in our Questions & Answers section, find tutorials and tools that will help you grow as a developer and scale your project or business, and subscribe to topics of interest.Sign up now
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Followed the steps and getting this when attempting to view dashboard through
Hi, thanks for the Tutorial. On a Digital Ocean managed Kubernetes Cluster I get the following installation error creating the dashboard pod.
panic: secrets is forbidden: User “system:serviceaccount:default:dashboard-kubernetes-dashboard” cannot create resource “secrets” in API group “” in the namespace “kube-system”
This tutorial is out of date, Helm 3 does not use Tiller. Please update.
G’day, fyi Im on a windows machine.
Sorry instructions don’t work. Spent a couple of hours on this.
All looks well, helm works, tiller is running,
but when try to install ANY helm package you get this
Error: validation failed: unable to recognize “”: no matches for kind “Deployment” in version “extensions/v1beta1”
Ive successfully setup K8s on GCP, and… like everyone says, it just works.
Unfortunately, with DO, sadly as I expected, it just does not work.
Was nice having a play though. Will try again in 6 months. I realize these things are hard and takes time for documentation to get perfected.
This post is quite a bit outdated now. Helm 3 no longer uses tiller and the command to install has no
--nameflag it is now required:
Like it great work
Hi, I had difficulty installing the dashboard and added a helm issue here:
along with a workaround.
Yet another broken Kubernetes tutorial. Glad all these issues were fixed before going GA! /s
This isn’t working for me with the latest update to 2.12.3. I cannot connect helm to tiller.
When I tried to run this,
Error: release dashboard-demo failed: namespaces “default” is forbidden: User “system:serviceaccount:kube-system:default” cannot get resource “namespaces” in API group “” in the namespace “default”