After creating new VCF Context, unable to list the pods with Supervisor Administrator Role on the Supervisor folder getting below error

kubectl get pods -A

Error from server (Forbidden) : pods " A" is forbidden: User "sso: [email protected]" cannot get resource "pods" in API group "" in the namespace "<namespace>"

Error from server (Forbidden) : pods is forbidden: User "sso: user@example" cannot list resource "pods" in API group "" at the cluster scope

Supervisor 9.x

When the Supervisor Administrator role is assigned on the Supervisor folder, a context is created that gives access only to cluster level resources in the Supervisor and not the vSphere Namespace. That is, you cannot list or view vSphere Namespaces. To be able to view vSphere Namespaces when you log in through VCF CLI, you must have permissions on the specific vSphere Namespace with Namespace Owner/Edit/View Role

Assign Permission for the Namespace with Namespace Owner/Edit/View Role to access the cluster level resources.

Method 1:

1. Log into the VC using vSphere Client as [email protected].
2. Go to Supervisor Management > select the Namespace for the Guest Cluster > Permission tab.
3. Add the LDAP User and assign Namespace Owner, Edit or View role as required.

Method 2:

1. Log into the VC using vSphere Client as [email protected].
2. Go to VMs and Templates > Namespaces > Supervisor.
3. Select the specific Namespace for the guest cluster.
4. Under the Permissions tab, add the LDAP user.
5. Assign the Namespace Owner, Edit, or View role as required.

Workaround:

• If a single LDAP user needs to manage both the Supervisor and the applications/pods within the Namespace, follow the below steps:

  • At the Supervisor Folder: Add the user with the Supervisor Administrator role, but uncheck "Propagate to children."

  • At the Namespace Folder: Add the user with the Namespace Owner/Edit role and check "Propagate to children."

How Permissions Work in Supervisor

• vSphere/VI Administrators who are part of "Administrators SSO Group" are automatically gets the Supervisor Administrator Role on Supervisor folders.
• Kubernetes Administrators who manage the Supervisor, Supervisor Services and related resources on Supervisor should be assigned with the Supervisor Administrator Role.
• Developers who are responsible for creating new pods or deploying applications must be given a "Namespace Owner" role which would also have the ability to "Delete" the namespace. If delete namespace privileges are not needed for a developer then they can have a Namespace Edit role.
• The Monitoring Team will be assigned with the Namespace View role.
• With Velero deployed as Supervisor Services, backup users should be given with below privileges:
  • SupervisorServices.Manage
  • Namespaces.Manage
  • Namespaces.Configure
• You must be a member of the vSphere Administrator role, or have following vSphere privileges:
• Or Supervisor Administrator Role which is already created with above privileges.
• Along with the backup user must have the edit permission on Velero Namespace.
• For more details refer this doc: Install and Configure the Velero Plugin for vSphere on a Supervisor