"status 403" error shows up when displaying Application Live View after upgrading to Tanzu Application Platform (TAP) 1.5.

• Full error message

Invalid response (status 403): resourceinspectiongrants.appliveview.apps.tanzu.vmware.com is forbidden: User "system:serviceaccount:tap-gui:tap-gui-viewer" cannot create resource "resourceinspectiongrants" in API group "appliveview.apps.tanzu.vmware.com" at the cluster scope

• Screenshot

Product Version: 1.5

This error is caused by a new feature introduced in TAP 1.5 versions. 

• TAP 1.5 Release Notes - New features by component and area : Application Live View now supports improved security and access control. Introduces the APIServer component that generates and validates user access to view actuator data for a pod.

For Multi-clusters, users may already followed View resources on multiple clusters in Tanzu Application Platform GUI - TAP 1.4 and set up the required Service Account and ClusterRole to be able to view resources on the Build or Run clusters. Due to the new feature mentioned above, it's necessary to add below scopes to the ClusterRole in TAP 1.5 to consume the improved security feature. With the updated ClusterRole, it will be able to access and request tokens from the Application Live View APIServer and see the live information in Application Live View.

- apiGroups: ['appliveview.apps.tanzu.vmware.com']
  resources:
  - resourceinspectiongrants
  verbs: ['get', 'watch', 'list', 'create']

See below links for more information about the new feature and the configuration change:

• Configure security and access control in Application Live View - TAP 1.5
• View resources on multiple clusters in Tanzu Application Platform GUI - TAP 1.5