Error: "Error from server (Forbidden) when running kubectl commands on TKGI cluster as LDAP user
search cancel

Error: "Error from server (Forbidden) when running kubectl commands on TKGI cluster as LDAP user

book

Article ID: 429197

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

  • When attempting to run kubectl commands on a TKGI cluster as an LDAP user, you see errors like: 

    Error from server (Forbidden): pods is forbidden: User "oidc:testuser" cannot list resource "pods" in API group "" in the namespace "default"

  • Your TKGI admin has created a ClusterRole and ClusterRoleBinding for the LDAP group you are associated with.
  • You have successfully gathered the kubeconfig by running the tkgi get-kubeconfig command

Environment

TKGI environments, this may happen on any version.

Cause

This error is reported if the LDAP group configured in the ClusterRoleBinding configured to bind the LDAP user group to the ClusterRole doesn't reference the group name starting with oidc. For example, for group named tkgiAdmins:

 

Incorrect:

subjects:

- apiGroup: rbac.authorization.k8s.io

  kind: Group

  name: tkgiAdmins

 

Correct:

subjects:

- apiGroup: rbac.authorization.k8s.io

  kind: Group

  name: oidc:tkgiAdmins

Resolution

Ensure the ClusterRoleBinding for the LDAP group references oidc:groupname, for example:

 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ldap-admin-clusterrolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ldap-admin-clusterrole
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: oidc:tkgiAdmins

 

Powered by Wolken Software