When using kubectl client to access supervisor via Aria Automation CCI, it fails with error message similar to below:

cannot get path \"/swagger-2.0.0.pb-v1\"","reason":"Forbidden","details":{},"code":403

When you enable the debug level logs, it shows additional error with code 406, similar to below:

wcp@deva:~/cci$ kubectl apply -f testtkg.yaml -v=8
I0618 17:21:56.170351 386594 loader.go:395] Config loaded from file: /home/wcp/.kube/config
I0618 17:21:56.171669 386594 round_trippers.go:463] GET https://cava-216-122-184.eng.vmware.com/cci/kubernetes/apis/infrastructure.cci.vmware.com/v1alpha1/namespaces/pilot/supervisornamespaces/nstest1/proxy/openapi/v2?timeout=32s
I0618 17:21:56.171706 386594 round_trippers.go:469] Request Headers:
I0618 17:21:56.171753 386594 round_trippers.go:473] Accept: application/[email protected]+protobuf
I0618 17:21:56.171781 386594 round_trippers.go:473] User-Agent: kubectl/v1.28.3+vmware.wcp.1 (linux/amd64) kubernetes/9c6580b
I0618 17:21:56.171810 386594 round_trippers.go:473] Authorization: Bearer <masked>
I0618 17:21:56.268171 386594 round_trippers.go:574] Response Status: 406 Not Acceptable in 96 milliseconds
... 
I0618 17:21:56.318877 386594 round_trippers.go:574] Response Status: 403 Forbidden in 47 milliseconds

This is because an older version of kubectl client is used, which calls openapi/v2 which is not supported by supervisor.  Supervisor expects openapi/v3.  Therefore kubectl client falls back to calling another api which is not allowed, hence we are seeing forbidden error.

Impact:

Any customers using older version of kubectl (version older than 1.29) in their local env, trying to access supervisor via CCI

Use newer version of kutectl client, such as 1.29.5 is proven to fix the issue.