Failed to create RoleBinding for xxx in namespace xxxxxxx. API server returned error 'admission webhook "admission.vmware.com" denied the request: Users are allowed to create role bindings only for service accounts.'. This operation will be retried.
/var/log/vmware/wcp/wcpsvc.log
[YYYY-MM-DDTHH:MM:SS] debug wcp [workload/controller.go:906] [opID=svc-velero-domain-*****-workload=svc-velero-domain-*****] Reconcile role bindings done map[] [{Severity:ERROR Details:0xc025cb90e0}]
[YYYY-MM-DDTHH:MM:SS] debug wcp [workload/controller.go:906] [opID=svc-velero-domain-*****-workload=svc-velero-domain-*****] Reconcile role bindings done map[] [{Severity:ERROR Details:0xc025e29db0}]
[YYYY-MM-DDTHH:MM:SS] debug wcp [workload/controller.go:906] [opID=svc-velero-domain-*****-workload=svc-velero-domain-*****] Reconcile role bindings done map[] [{Severity:ERROR Details:0xc025edd090}]
Error from server (Forbidden): pods is forbidden: User "sso:account-name@tanzu.local" cannot list resource "pods" in API group "" at the cluster scope
/etc/vmware/wcp/wcp-schedext-admission-controller-user-whitelist
is emptyvCenter Server is 8.0 Update 3b and above
Known issue causes this file to get truncated.
Workaround:
For each Supervisor Control Plane with an empty wcp-schedext-admission-controller-user-whitelist
file, perform the following steps:
Retrieve the required values:
<machine_id>
from the output of:
<sso_domain>
from the output of:
Add the following content to the file /etc/vmware/wcp/wcp-schedext-admission-controller-user-whitelist
:
Restart the wcp-schedext
pod on the Supervisor Control Plane:
Wait 10-15 minutes for TKG components to reconcile and return to a healthy state.