Getting "User "sso:<user>@<domain>" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "psp:vmware-system-privileged" not found" when trying to list supervisor cluster nodes.
search cancel

Getting "User "sso:<user>@<domain>" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "psp:vmware-system-privileged" not found" when trying to list supervisor cluster nodes.

book

Article ID: 382329

calendar_today

Updated On:

Products

Tanzu Kubernetes Runtime

Issue/Introduction

1. A domain user with non-administrator role when attempting to list the supervisor cluster nodes from the local jump server gets the error- "Error from server (Forbidden): nodes is forbidden: User "sso:<username>@<domain>" cannot list resource "nodes" in API group "" at the cluster scope: RBAC: clusterrole.rbac.authorization.k8s.io "psp:vmware-system-privileged" not found"
2. The user is able to list the same when using the local SSO administrator account.
3. Giving the user "Administrator" role along with the Global Permission doesn't help.

Environment

vSphere with Tanzu
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

Developers have no cluster-wide permissions (no ClusterRoleBindings), only on individual namespaces (RoleBindings). Only members of SSO group "Administrators" get these cluster-level privileges that allow them to see resources like nodes.

Resolution

In case there is a genuine ask to allow a domain user to be able to list the supervisor cluster nodes via kubectl on the local jump box, add the concerned user to the SSO group "Administrators".