When attempting to run kubectl commands after a successful kubectl vsphere login to the vSphere Kubernetes Cluster, similar error messages to the following are observed:

couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)

However, when SSH connected to the vSphere Kubernetes cluster as breakglass user vmware-system-user, kubectl commands work without issue.

For the affected vSphere Kubernetes cluster, the following symptoms are present:

• kubectl commands fail on all jumpboxes after successful kubectl vsphere login to the same vSphere Kubernetes Cluster.
  
  
• Performing a describe on the ClusterBootstrap object associated with the vSphere Kubernetes cluster from the Supervisor cluster shows an error similar to the below:

Message:               kapp: Error: Creating app change:
ConfigMap "tkc-01-my-longnamedtanzukubernetescluster-ab-c-1234-guest-cluster-auth-abcdefgh" is invalid: metadata.labels:
Invalid value: "tkc-01-my-longnamedtanzukubernetescluster-ab-c-1234-guest-cluster-auth-service.app": must be no more than 63 >characters

• The vSphere Kubernetes cluster's name exceeds 31 characters in length.
  
  
• The packageinstall (pkgi) for the guest-cluster-auth-service from within the affected vSphere Kubernetes cluster is in ReconcileFailed state:

  • kubectl get pkgi -A

vSphere with Tanzu 7.0

vSphere with Tanzu 8.0

This is due to a known issue in environments where the vSphere Kubernetes cluster has a name that is greater than 31 characters in length.

Please open a ticket to VMware by Broadcom Technical Support referencing this KB for assistance in reconciling the affected vSphere Kubernetes Cluster's guest-auth-service pkgi to Reconcile succeeded state.

A fix for this vSphere Kubernetes Cluster name length exceeding 31 characters has been made available in TKR v1.26.5 and higher.