VMware Modern Apps Community
CrossBound
Contributor
Contributor
‎02-03-2023 01:31 PM

vSphere with Tanzu - TKGs Cluster - Granted Developer Access but Still Unable to Login

I have a couple of TKGs clusters setup with vSphere with Tanzu. Everything seems to be working with the cluster. I am using our Active Directory SSO integration to sign in. I have an administrative user and I'm able to login to the cluster just fine and use the kubectl CLI to interact with it. Within the namespace in vSphere, I have granted my non-admin user "edit" access to the TKGs clusters so I don't have to use my admin user to interact with the TKGs clusters via kubectl. When trying to sign in with my regular user, however, it gives me the following error during the sign in process with the kubectl vsphere login command.

FATA[0012] Failed to get available workloads, response from the server was invalid.

As I mentioned before, it is working fine for my admin user, so I know the SSO integration is working fine. Is there any additional rights within vSphere that I have to grant my regular user to allow it to login with kubectl?

I also provisioned a new vsphere local user within the vsphere.local domain, and that user is able to login as well. I'm not sure why my non-admin active directory user is failing.

Tags (4)
Reply
0 Kudos
5 Replies
DCasota
Expert
Expert
‎02-04-2023 03:05 AM

and the docs (1,2,3) didn't help?

Reply
0 Kudos
CrossBound
Contributor
Contributor
‎02-09-2023 09:25 AM

That is correct, these articles do not help my situation. In the 3rd article (William Lams) this user would fall under persona=developer option 1 (doesn't need access to vsphere, only TKG). I've ensured that I've created the appropriate cluster role binding but it still gives me the error when attempting to sign in.

Reply
0 Kudos
ldclancy2
Contributor
Contributor
‎02-23-2023 10:23 PM

Did you have any more joy on this topic @CrossBound ?

I've struck a similar issue - none of us can login with 'kubctl vsphere login' ("Failed to get available workloads, response from the server was invalid").

I upgraded vCenter this week from 8.0.0.10100 to 8.0.0.10200 and wonder if that has been the cause?

The Supervisor cluster is version v1.23.5+vmware.wcp.2-vsc0.1.0-20413629.

Cheers, Liam.

Reply
0 Kudos
CrossBound
Contributor
Contributor
‎03-10-2023 06:18 AM

Unfortunately, no. We have not found a solution to this problem.

Reply
0 Kudos
ldclancy2
Contributor
Contributor
‎03-12-2023 03:03 PM

My issue sounds a bit different to yours in the end (and has now been solved)...

Summary:-

--> Kubectl vsphere login started failing after vCenter upgrade to 8.0b.

--> Due to a change introduced, wcpsvc contains updated code, delivering only leaf certificates to authproxy for validating SAML tokens but the wcp-agent in use did not contain the updated code to know how to validate SAML token using only leaf certificates.

--> resolved by upgrading the Supervsior version (to v1.24.9+vmware.1-vsc0.1.1-21171457)

Good luck, Liam.

Reply
0 Kudos