How to access the specific CRD with built-in cluster.edit role in TMC
search cancel

How to access the specific CRD with built-in cluster.edit role in TMC

book

Article ID: 372038

calendar_today

Updated On:

Products

VMware Tanzu Mission Control

Issue/Introduction

User or a group with built-in cluster.edit role will not be able to access specific CRD

If fluxcd is enabled in the cluster using TMC and user/group with cluster.edit role try to access the crd's in the namespace where fluxecd is deployed will fail with below error.

Error from server (Forbidden): 
terraforms.infra.contrib.fluxcd.io
 is forbidden: User “
[email protected]
” cannot list resource “terraforms” in API group “
infra.contrib.fluxcd.io
” in the namespace “dev1”: decision made by 
impersonation-proxy.concierge.pinniped.dev
terraforms.infra.contrib.fluxcd.io

Environment

Cluster attached/created in TMC

Cause

Cluster.edit role will not have the permission to access the namespace.

Only Cluster.admin role will be able to access the cluster

Resolution

Create the custom role and attach the role to the user/group

Here are the steps

  • Allow users with cluster.edit to access the CRD. We use custom roles to address such kind of situations.
  • Cluster.edit is a built-in role with a collection of permissions. To create a custom role with the same permissions, we need to see what roles are in cluster.edit and add it to the custom role.
  • And we also need to specify the CRD access below in “Additional Kubernetes RBAC rules”. Once the custom role gets created, you should be able to see it in Access Management.

 

-> Create a custom role under TMC->Administration->Role->Create custom role.

Before creating the role we need to make a note of existing permission for cluster.edit.

TMC->Administration->Role-> cluster.edit




-> Then create the customer role with additional k8s RBAC as per the below screenshot. ( including permission from the cluster.edit)

Name of the custom role - customer-cluster.edit ( you can provide any name)

Create a custom role under TMC->Administration->Role->Create custom role


 

-> Once the custom role gets created, you should be able to see it in Access Management.

TMC->Access management-> access policies


Powered by Wolken Software