Group permissions on cluster level with active directory

Hi All!

I’m trying to allow users inside a group to use kubectl and I’m getting the error below:

> kubectl get pods -n namespace
Error from server (InternalError): an error on the server ("{\"Code\":{\"Code\":\"ServerError\",\"Status\":500},\"Message\":\"Forbidden 403: \\\"c-6nfmd\\\" is forbidden: User \\\"user-k5446\\\" cannot get at the cluster scope\",\"Cause\":null,\"FieldName\":\"\"}") has prevented the request from succeeding 

But when I specify a user it works.

This is the roles I have:


The active directory group contains 5 users, but it don’t look at the members of the group, it uses the second role (NG-PROJECT-MANAGER-CLUSTER).

The same group works perfectly when I need to allow access just to a specific project using the firts role.


What version of Rancher are you running?


I’m using 2.0.2.

I’ve tried 2.0.3 and 2.0.4 but i’ve received too many 502, 503 and 504 errors and I decided to rollback to 2.0.2.


Ok, this is a known issue in 2.0.2 and was fixed in 2.0.3. See:

Fixed an issue where giving permissions using AD groups were not providing correct permissions to users for kubectl [#13778]

(note that the issue applied to all auth providers not just AD as the title indicated)

I realize that puts you between a rock and a hard place. I suggest opening another forum post or better yet github issue to get help resolving the 50Xs.

1 Like