Use this section to troubleshoot TKG cluster connection problems and log on errors.

Insufficient Permissions Error

If you do not have sufficient permissions on the vSphere Namespace, you cannot connect to Supervisor or to a TKG cluster as a vCenter Single Sign-On user.

The vSphere Plugin for kubectl returns the error message Error from server (Forbidden) when you attempt to connect to Supervisor or a TKG cluster as a vCenter Single Sign-On user.

You do not have sufficient role permissions on the vSphere Namespace, or your user account has not been granted access.

If you are a DevOps engineer who operates the cluster, verify with your vSphere administrator that you have been granted Edit permissions for the vSphere Namespace. If you are a developer who is using the cluster to deploy workloads, verify with your cluster administrator that you have been granted cluster access.

Kubectl vSphere Login Error

If you receive the following error when attempting to log in to Supervisor or TKG cluster using the vSphere Plugin for kubectl, it may be due to a log in error.
Failed to get available workloads, response from the server was invalid.
To troubleshoot log in errors, use -v=10 to get more verbose log output.
kubectl vsphere login --server=10.110.150.56 --vsphere-username [email protected] -v=10
For example, the following shows the use of verbose output to reveal an invalid or missing credentials error.
DEBU[0000] User passed verbosity level: 10
DEBU[0000] Setting verbosity level: 10
DEBU[0000] Setting request timeout:
DEBU[0000] login called as: /usr/local/bin/kubectl-vsphere login --server=10.110.150.56 --vsphere-username [email protected] -v=10
DEBU[0000] Creating wcp.Client for --server=10.110.150.56.
INFO[0000] Does not appear to be a vCenter or ESXi address.
DEBU[0000] Got response:
INFO[0000] Using [email protected] as username.
DEBU[0000] Env variable KUBECTL_VSPHERE_PASSWORD is present
DEBU[0000] Error while getting list of workloads: invalid or missing credentials
FATA[0000] Failed to get available workloads, response from the server was invalid.

SSH to Supervisor

It may be necessary to SSH to Supervisor to troubleshoot log in errors.
Warning: When you SSH to a Supervisor control plane node, you have permissions to permanently damage the Supervisor cluster. If VMware Support finds evidence of a customer making changes to Supervisor components from a Supervisor control plane node, VMware Support may mark the Supervisor cluster as unsupported and require you to redeploy the vSphere IaaS control plane solution. Only use this session to test networks, look at logs, and run kubectl logs/get/describe commands. Do not deploy, delete, or edit anything from this session without the express permission of a KB or VMware Support.
To SSH to a Supervisor control plane node, complete the following steps.
  1. Log in to vCenter using the root user account.
  2. Type dcli +i to use the datacenter CLI in interactive mode.
  3. Run the command namespacemanagement software clusters list to return the status of the Supervisor.
  4. Type exit to exit the dcli shell.
  5. Type shell to enter bash shell mode.
  6. Type /usr/lib/vmware-wcp/decyptK8Pwd.py to get the IP address and password for Supervisor.
  7. Type ssh 10.100.150.56 to ssh to Supervisor, where you replace the example IP address with the IP address returned by the previous command.