Insufficient RBAC permissions when listing or creating resources within Cluster scope
search cancel

Insufficient RBAC permissions when listing or creating resources within Cluster scope

book

Article ID: 371433

calendar_today

Updated On:

Products

VMware vSphere with Tanzu vSphere with Tanzu

Issue/Introduction

Symptoms: 

- When logged in to a cluster(Supervisor or TKC), unable to perform kubectl command like below, indicating the user 'test' lacks the necessary permissions to create/list the resources within the run.tanzu.vmware.com  API group within the cluster scope..

kubo@jumper:~$ kubectl get pods -A

Error from server (Forbidden): pods is forbidden: User "sso:[email protected]" cannot list resource "pods" in API group "" at the cluster scope

 

Cause

RBAC permissions are limited even if it is logged in using the default administrator or SSO user accounts unless you have explicit cluster admin privileges. 

 

Resolution

To overcome this issue, we need to assign a cluster admin role to the SSO user by creating a cluster role binding. 

- Execute the below command in the supervisor control plane VM.

kubectl create clusterrolebinding test:cluster-admin --user sso:[email protected] --clusterrole cluster-admin
clusterrolebinding.rbac.authorization.k8s.io/test:cluster-admin created

 

You may replace 'test' with the username that needs cluster-admin role.

 

- Verify that cluster rolebinding has been created.

kubectl get clusterrolebinding -A | grep test
clusterrolebinding.rbac.authorization.k8s.io/test:cluster-admin                                               ClusterRole/cluster-admin                                                          19s

 

- Login to the cluster from the jumpbox using kubectl vsphere login and verify if you can perform the desired actions.

kubectl vsphere login --vsphere-username [email protected] --server=https://<Supervisor-LBIP> --insecure-skip-tls-verify

 

Additional Information

For TKC clusters to create a cluster rolebinding, the user should be added to the Administrators group in vCenter.