Symptoms

• Users unable to authenticate via kubectl vsphere login.
• "Unauthorized" errors when accessing Supervisor Namespace resources.
• Missing "Workload Management" permissions in vSphere Client.

Supervisor Cluster access requires a mapping between vSphere Single Sign-On (SSO) identities and Kubernetes Role-Based Access Control (RBAC). Without explicit permission assignment at the Namespace level, the Supervisor API server rejects the JWT issued by the identity provider.

To add a user to a Supervisor namespace, follow these steps:

• Log in to the vSphere Client as a vSphere Administrator.
• Navigate to Workload Management from the main menu.
• Select the Namespaces tab and click on the specific namespace you want to configure.
• On the namespace's Summary tab, locate the Permissions card.
• Click Add Permission.
• In the Add Permission dialog:
• Select the appropriate Identity Source.
  • Search for the User/Group.
  • Select the Role (e.g., Can Edit, Can View, or Owner).

• Execution (CLI): Direct the user to authenticate via the vSphere Plugin for kubectl:
  kubectl vsphere login --server=IP-OR-FQDN --vsphere-username USER@DOMAIN

• Verification: Run kubectl get pods -A to confirm namespace resource visibility.

• Connecting to TKG Service Clusters via vCenter SSO

• Kubernetes Official RBAC Documentation

• VMware Configuration Maximums