This article is intended to demonstrate how to apply specific Kubernetes permissions from Tanzu Mission Control to manage and interact with the clusters.

Symptoms:

1. A custom role is created on Tanzu Mission Control for specific user to manage only certain resources or execute specific actions to it. For instance a user that can only create and delete namespaces on a cluster.
2. Custom role works properly for the user directly on TMC GUI.
3. User can login to the cluster via CLI using TMC login or Tanzu Login, but cannot execute tasks when using kubectl commands. The following error is presented: “Error from server (Forbidden): <kubernetes_resource_name> is forbidden: User “[email protected]” cannot <create/delete/edit/etc> resource ” <kubernetes_resource_name>” in API group at the cluster scope”
4. Kubernetes objects can be created using TMC CLI or Tanzu CLI based on the assigned permissions.

VMware vSphere 7.0 with Tanzu

There is a known issue in Tanzu Mission Control where if an existing Custom Role without Kubernetes RBAC rules is updated to add a Kubernetes RBAC rule, the role does not synchronize properly to the cluster as it should. This issue is currently under investigation.

There is no current final resolution for this issue since it still under investigation.

Workaround:

Create new custom role in Tanzu Mission Control with Kubernetes RBAC rules for the desired resource and the desired verbs such as “create/get/update/delete”. New role must then be assigned to desired users or user groups.

Create New Custom Role:

1. Go to Tanzu Mission Control.
2. Click on Administration > Roles > Create Custom Role.
3. Create a Name for the new role. Other fields are optional.
4. Select the desired Role Visibility. The options are for Cluster: Organization, Cluster Group or Cluster; and for Workspace: Workspace and Namespace.
5. Select the desired Tanzu Permissions for the desired Kubernetes object.
6. Create a Kubernetes RBAC rule with the desired Kubernetes Verbs (multiple can be added), Type and the Value for the Type selected (Resource type).
7. Click on the Create button.

Apply New Custom Role:

1. On the Tanzu Mission Control Menu expand Access Management and select Access Policies.
2. Select the desired Cluster or Cluster Group and under Access Policies select Create Role Bindings under Direct Access Policies.
3. Search for the Role name you created before on step 3 of Create New Custom Role section, and fill out accordingly the Identities (User, Groups or Kubernetes service account) and User Identity fields.

Creating Custom roles that contain specific Kubernetes RBAC rules for users on the organization will limit the actions that those users can perform.