VMware Cloud Community
abuzzi
Enthusiast
Enthusiast
‎05-09-2022 06:48 AM

Error in Tanzu Kubernetes in vSpere: Error from server(Forbidden)

Hello,

we have couple of clusters stuck in removing/configuring... (see attached picture)

We connected to the supervisor cluster and noticed the still hold some svc with a pending External IP request.

Unfortunately the Administrator@vsphere.local privilege does not seems enough to clear the situation.

We even tried to revert them to ClusterIP but once again we are not allowed to perform such operation:

 

Any idea how to fix the issue ?

 

(k8s: telco-01) /home/toolbox# kubectl config use-context 10.58.252.66
Switched to context "10.58.252.66".
(k8s: 10.58.252.66) /home/toolbox# kubectl get pod -n new5g
No resources found in new5g namespace.
(k8s: 10.58.252.66) /home/toolbox# kubectl get svc -n new5g
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
telco-01-53ccb49b2887b999d84dd LoadBalancer 10.96.1.164 <pending> 80:31510/TCP,443:31304/TCP,4443:31546/TCP 35d
telco-01-a0a9e4757486e6ee8c96e LoadBalancer 10.96.2.127 <pending> 8008:31887/TCP,8080:32706/TCP,2024:31472/TCP,2022:32658/TCP,7681:30069/TCP 7d5h
telco-01-c43d37de7c67c5268efe2 LoadBalancer 10.96.2.243 <pending> 80:30474/TCP 42d
telco-01-edf52655c48028c544b00 LoadBalancer 10.96.0.44 <pending> 80:30182/TCP,443:32639/TCP,4443:31481/TCP 35d
(k8s: 10.58.252.66) /home/toolbox#
(k8s: 10.58.252.66) /home/toolbox#
(k8s: 10.58.252.66) /home/toolbox# kubectl delete svc telco-01-53ccb49b2887b999d84dd -n new5g
Error from server (Forbidden): services "telco-01-53ccb49b2887b999d84dd" is forbidden: User "sso:Administrator@vsphere.local" cannot delete resource "services" in API group "" in the namespace "new5g"
(k8s: 10.58.252.66) /home/toolbox#
(k8s: 10.58.252.66) /home/toolbox# kubectl edit svc telco-01-53ccb49b2887b999d84dd -n new5g
[...]
spec:
type: ClusterIP
[...]
~
"/tmp/kubectl-edit-hwocq.yaml" 61L, 1799C written
error: services "telco-01-53ccb49b2887b999d84dd" could not be patched: services "telco-01-53ccb49b2887b999d84dd" is forbidden: User "sso:Administrator@vsphere.local" cannot patch resource "services" in API group "" in the namespace "new5g"
You can run `kubectl replace -f /tmp/kubectl-edit-hwocq.yaml` to try this update again.
(k8s: 10.58.252.66) /home/toolbox#
(k8s: 10.58.252.66) /home/toolbox#

Preview file
37 KB
0 Kudos
1 Reply
abuzzi
Enthusiast
Enthusiast
‎05-11-2022 01:40 AM

 

Hello,

I tried to add a new user and assign one of these roles:

  • Workload Storage Manager
  • vSphere Kubernetes Manager
  • SupervisorService Cluster Operator
  • SupervisorService RootFolder Operator
  • SupervisorService Operator

but still deleting the stuck services fails due to:

$ kubectl delete svc telco-01-8affa160e6f2114e7223a -n xxx
Error from server (Forbidden): services "telco-01-8affa160e6f2114e7223a" is forbidden: User "sso:newuser@vsphere.local" cannot delete resource "services" in API group "" in the namespace "xxx"
$

Any idea / suggestion ?

0 Kudos