sakthisunda
commented
2 years ago https://github.com/vmware/container-service-extension/pull/1360 covers this on master. Closing this.
Closed sakthisunda closed 2 years ago
sakthisunda
commented
2 years ago https://github.com/vmware/container-service-extension/pull/1360 covers this on master. Closing this.
Fix for
Error:Status code: 403/ACCESS_TO_RESOURCE_IS_FORBIDDEN, [ dd88ceaa-47f2-46c1-a158-0fb9072d28ad ] Either you need some or all of the following rights [Base] to perform operations [VAPP_VIEW] for 75b5b162-35a4-444b-bdab-faab5d71cd6b or the target entity is invalid. (request id: dd88ceaa-47f2-46c1-a158-0fb9072d28ad)Power on operation on a vm is a special operation where authorization check to access the vm is done multiple times. Since in our case the security context is getting wiped out during the power on operation, the secondary authorization checks are failing and that results in the 403 error.
Fix description: CSE service account to its absolute minimum during cluster deployment. Use service account client and vapp only for accessing and updating extra config for post boot customization.
Cluster create with control plane and worker node tested
Cluster resize with worker node scale up tested
Tested as Cluster Admin (Clone of Org admin + special rights)
Tested as Cluster Author (Clone of vApp Author + special rights )
Resize tested thru UI plugin and CLI
This change is