This knowledge base article is written to provide YAMLs that can be implemented in a Supervisor cluster to grant users under the Administrators Group permissions to only restart deployments, daemonsets, statefulsets and jobs.It also grants the permission to delete pods because pods will be automatically recreated by their owning kubernetes object.

When interacting with Kubernetes objects in system namespaces, members of the administrators group will encounter an error message similar to the below:

error: failed to patch: deployments.apps "<deployment>" is forbidden: User "sso:[email protected]" cannot patch resource "deployments" in API group "apps" in the namespace "kube-system"

vSphere Kubernetes Service (VKS)

By default in the VKS product, members of the Administrators group do not have permission to perform actions on Supervisor cluster system namespaces such as kube-system.

This is to prevent mismanagement of system objects that can be destructive and potentially unrecoverable, requiring a full Supervisor cluster re-deployment.

SSO Permissions can be assigned at the Namespace level in the vSphere web client, but system namespaces that are not present in the vSphere web client will need additional steps taken accordingly to create custom Kubernetes RBAC objects.

Reach out to VMware by Broadcom Technical Support for help in creating custom Kubernetes RBAC for your Supervisor cluster.