1. A domain user with non-administrator role when attempting to list the supervisor cluster nodes from the local jump server gets the error- "Error from server (Forbidden): nodes is forbidden: User "sso:<username>@<domain>" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "psp:vmware-system-privileged" not found"
2. The user is able to list the same when using the local SSO administrator account.
3. Giving the user "Administrator" role along with the Global Permission doesn't help.
vSphere with Tanzu
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Developers have no cluster-wide permissions (no ClusterRoleBindings), only on individual namespaces (RoleBindings). Only members of SSO group "Administrators" get these cluster-level privileges that allow them to see resources like nodes.
In case there is a genuine ask to allow a domain user to be able to list the supervisor cluster nodes via kubectl on the local jump box, add the concerned user to the SSO group "Administrators".