VMware Cloud Community
LuisjaEve
Contributor
Contributor
‎07-27-2021 08:13 AM
Jump to solution

Error in Tanzu Kubernetes in vSpere: Error from server(Forbidden)

Hi all,

After configuring successfully Workload Management in vSphere 7, when I connect to the server via CLI, using the administrator user, I am getting an error trying to get some info from the cluster:

LuisjaEve_0-1627397817918.png

I logged in successfully, but then when executing "get clusterroles" or "get rolebindings" commands, get this error:

LuisjaEve_1-1627398007298.png

Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "sso:Administrator@vsphere.local" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" in the cluster scope

Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "sso:Administrator@vsphere.local" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "default"

At vcenter I cannot edit permissions at "Namespace" resource pool.

LuisjaEve_2-1627398527274.png

Logged also as administrator.

Is that normal?

I deployed Workload Management with NSX-T.

vSphere 7.0.1

NSX-T 3.1

Thanks in advance.

Regards,

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
pkvmw
VMware Employee
VMware Employee
‎08-04-2021 11:04 AM
Jump to solution

Hi @LuisjaEve ,

yes, that's normal. The SupervisorCluster/WCP (basically where you deploy vSphere Pods) has some restrictions and doesn't allow changing everything as you could do in "normal" Kubernetes clusters, and this is intended.

The SupervisorCluster is used to deploy so called TKC (Tanzu Kubernetes Cluster) or also known as "Guest Cluster", where you have a fully Kubernetes-compatible cluster. In this TKC you can do whatever you want to, also changing clusterroles or rolebindings as you wish. Creating TKCs is also best-practise. You can find more information how to deploy TKCs here: https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-B1034373-8C38-4FE2-9517...

Hope this helps!

Regards,
Patrik

@vcitrainer Based on your very limited log excerpt https://communities.vmware.com/t5/VMware-vSphere-Discussions/vSphere-With-Tanzu/m-p/2860677/emcs_t/S... you have a different issue.

View solution in original post

4 Replies
vcitrainer
Contributor
Contributor
‎08-04-2021 02:41 AM
Jump to solution

Hi;

I have is the same problem. is there any solution ?

 

Thank You

0 Kudos
pkvmw
VMware Employee
VMware Employee
‎08-04-2021 11:04 AM
Jump to solution

Hi @LuisjaEve ,

yes, that's normal. The SupervisorCluster/WCP (basically where you deploy vSphere Pods) has some restrictions and doesn't allow changing everything as you could do in "normal" Kubernetes clusters, and this is intended.

The SupervisorCluster is used to deploy so called TKC (Tanzu Kubernetes Cluster) or also known as "Guest Cluster", where you have a fully Kubernetes-compatible cluster. In this TKC you can do whatever you want to, also changing clusterroles or rolebindings as you wish. Creating TKCs is also best-practise. You can find more information how to deploy TKCs here: https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-B1034373-8C38-4FE2-9517...

Hope this helps!

Regards,
Patrik

@vcitrainer Based on your very limited log excerpt https://communities.vmware.com/t5/VMware-vSphere-Discussions/vSphere-With-Tanzu/m-p/2860677/emcs_t/S... you have a different issue.

LuisjaEve
Contributor
Contributor
‎08-06-2021 01:27 AM
Jump to solution

Hi pkvmw,

Thanks a lot for your response.

That is what I did (deploy a TKC) while waiting for confirmation. 

🙂

Regards

0 Kudos
vcitrainer
Contributor
Contributor
‎08-09-2021 02:06 AM
Jump to solution

Thank you for respond.  I installed guest-cluster on vsphere with tanzu enviroment and Problem was solved.

0 Kudos