Cannot create portforward in kube-system

I’m new to this.

My clusters are managed by Kubernetes version 2.2.3. The developers to be able to use Helm (v2.12.0) commands to install releases and perform other functions. I know from experience and from other articles that in order to use Helm they need permission to ‘create’ pods/portforward objects in the kube-system namespace. I found how to create the permission and apply it to a user. I’ve also found that the users need at least ‘list’ permission on pods in the kube-system namespace. I can give them that by assigning them the Read Only role in the System project.

My most recent attempt at this was adding the pods/portforward permission to the read-only clusterrole by applying it via a manifest and the kubectl apply command. That provided the necessary access to users when the users were given the Read Only role in the System namespace. But a few hours after I’ve made those changes and successfully tested the functionality, those new permissions had disappeared from the read-only and project-member roles. I guess Kubernetes does this as part of housekeeping.

I imagine that use of Helm is common and I’d be surprised if modifying default roles is really necessary and not widely documented. Is this the right way to accomplish this, or have I missed something? Is it safe to give all users the Read Only role in kube-system?

This is a sample of errors that I get without the portforward permission on a ‘helm version’ inquiry:
Error: forwarding ports: error upgrading connection: pods “tiller-deploy-76fcc6b44d-5bm78” is forbidden: User “u-92skz” cannot create resource “pods/portforward” in API group “” in the namespace “kube-system”

With portforward permission and without pods list permission (not a member of the System project), I get this on a helm version command:
Error: an error on the server: Forbidden 403: “c-qj9d4” is forbidden: User “u-92skz” cannot get resource “clusters” in API group “” at the cluster scope",“Cause”:null,“FieldName”:""}") has prevented the request from succeeding (get pods)

Helm is inherently not multi-tenant. Tiller runs as a single service account and users talk to tiller. “Catalogs” and “Apps” use helm and tiller internally to deploy charts in a multi-tenant environment.

If you want native helm/tiller then you can deploy it yourself, which includes creating the service account it runs with and whatever permissions you want that to have.