Hi all,
After configuring successfully Workload Management in vSphere 7, when I connect to the server via CLI, using the administrator user, I am getting an error trying to get some info from the cluster:
I logged in successfully, but then when executing "get clusterroles" or "get rolebindings" commands, get this error:
Error from server (Forbidden): clusterroles.rbac.authorization.k8s.io is forbidden: User "sso:Administrator@vsphere.local" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" in the cluster scope
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io is forbidden: User "sso:Administrator@vsphere.local" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "default"
At vcenter I cannot edit permissions at "Namespace" resource pool.
Logged also as administrator.
Is that normal?
I deployed Workload Management with NSX-T.
vSphere 7.0.1
NSX-T 3.1
Thanks in advance.
Regards,
Hi @LuisjaEve ,
yes, that's normal. The SupervisorCluster/WCP (basically where you deploy vSphere Pods) has some restrictions and doesn't allow changing everything as you could do in "normal" Kubernetes clusters, and this is intended.
The SupervisorCluster is used to deploy so called TKC (Tanzu Kubernetes Cluster) or also known as "Guest Cluster", where you have a fully Kubernetes-compatible cluster. In this TKC you can do whatever you want to, also changing clusterroles or rolebindings as you wish. Creating TKCs is also best-practise. You can find more information how to deploy TKCs here: https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-B1034373-8C38-4FE2-9517...
Hope this helps!
Regards,
Patrik
@vcitrainer Based on your very limited log excerpt https://communities.vmware.com/t5/VMware-vSphere-Discussions/vSphere-With-Tanzu/m-p/2860677/emcs_t/S... you have a different issue.
Hi;
I have is the same problem. is there any solution ?
Thank You
Hi @LuisjaEve ,
yes, that's normal. The SupervisorCluster/WCP (basically where you deploy vSphere Pods) has some restrictions and doesn't allow changing everything as you could do in "normal" Kubernetes clusters, and this is intended.
The SupervisorCluster is used to deploy so called TKC (Tanzu Kubernetes Cluster) or also known as "Guest Cluster", where you have a fully Kubernetes-compatible cluster. In this TKC you can do whatever you want to, also changing clusterroles or rolebindings as you wish. Creating TKCs is also best-practise. You can find more information how to deploy TKCs here: https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-B1034373-8C38-4FE2-9517...
Hope this helps!
Regards,
Patrik
@vcitrainer Based on your very limited log excerpt https://communities.vmware.com/t5/VMware-vSphere-Discussions/vSphere-With-Tanzu/m-p/2860677/emcs_t/S... you have a different issue.
Hi pkvmw,
Thanks a lot for your response.
That is what I did (deploy a TKC) while waiting for confirmation.
🙂
Regards
Thank you for respond. I installed guest-cluster on vsphere with tanzu enviroment and Problem was solved.