Cannot Edit Cluster in VKS - denied the request - User sso cannot change resources owned by TanzuKubernetesCluster

search cancel

Cannot Edit Cluster in VKS - denied the request - User sso cannot change resources owned by TanzuKubernetesCluster

book

Article ID: 425541

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Making a change to a vSphere Kubernetes Service (VKS) cluster by editing the Cluster resource returns the following error message:

kubectl edit cluster -n <namespace> <VKS_cluster_name>

error: clusters.cluster.x-k8s.io "<VKS_cluster_name>" could not be patched: admission webhook "capi.validating.tanzukubernetescluster.run.tanzu.vmware.com" denied the request: User sso:<SSO_user_account> cannot change resources owned by TanzuKubernetesCluster

Values enclosed in angle brackets <> will vary by environment.

Environment

vSphere Supervisor

VKS Cluster with a Tanzu Kubernetes Cluster (TKC)

Cause

This is expected system behavior which prevents changes made to a Cluster resource when there is an associated Tanzu Kubernetes Cluster (TKC) resource for the same vSphere Kubernetes Service (VKS) cluster.

When a TKC resource exists for the same VKS cluster, changes should only be made to the TKC. These changes will propagate to the Cluster resource.

Resolution

There are two options regarding this particular scenario.

For changes on both the TKC and Cluster resource: Edit the TKC

This option is recommended for changes that are available on the TKC resource which will then propagate to the Cluster resource, such as VKR version, vmclass or certificates. Note: The TKC resource is deprecated in VKS 3.2.0 and higher.

kubectl edit tkc -n <namespace> <VKS cluster name>

For changes only on the Cluster resource: Retire the TKC

Choose this option for changes that are only available on the Cluster resource, such as the skip-auto-cc-rebase annotation for upgrading ClusterClass.

You will need to retire the TKC first in order to make changes to the Cluster resource.

VKS 3.3.3 improves the streamlined TKC retirement process with fixes for known issues during TKC retirement.

See the following VMware blog post for more details:

Embracing Open Standards: Transition vSphere Kubernetes Cluster to native Cluster API

Additional Information

The TKC API is deprecated, and will need to be "retired" in order to transition to using the Cluster API.
Additional information on retiring the TKC resource can be found in the following blog post and documentation:
- Embracing Open Standards: Transitioning vSphere Kubernetes Clusters to native Cluster API
- Retire TanzuKubernetesCluster Resources
Japanese version: ワークロード（ゲスト）クラスタがバージョン 1.31 から 1.32 へのアップグレードを試行中に停止（スタック）している状態です。

Feedback

thumb_up Yes

thumb_down No