Symptoms:
- When logged in to a cluster(Supervisor or TKC), unable to perform kubectl command like below, indicating the user 'test' lacks the necessary permissions to create/list the resources within the run.tanzu.vmware.com API group within the cluster scope..
kubo@jumper:~$ kubectl get pods -A
Error from server (Forbidden): pods is forbidden: User "sso:[email protected]" cannot list resource "pods" in API group "" at the cluster scope
RBAC permissions are limited even if it is logged in using the default administrator or SSO user accounts unless you have explicit cluster admin privileges.
To overcome this issue, we need to assign a cluster admin role to the SSO user by creating a cluster role binding.
- Execute the below command in the supervisor control plane VM.
kubectl create clusterrolebinding test:cluster-admin --user sso:[email protected] --clusterrole cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/test:cluster-admin created
You may replace 'test' with the username that needs cluster-admin role.
- Verify that cluster rolebinding has been created.
kubectl get clusterrolebinding -A | grep test
clusterrolebinding.rbac.authorization.k8s.io/test:cluster-admin ClusterRole/cluster-admin 19s
- Login to the cluster from the jumpbox using kubectl vsphere login and verify if you can perform the desired actions.
kubectl vsphere login --vsphere-username [email protected] --server=https://<Supervisor-LBIP> --insecure-skip-tls-verify
For TKC clusters to create a cluster rolebinding, the user should be added to the Administrators group in vCenter.