Contents x
      How To Resolve RealTheory Authorization Errors for an API Group
      • 16 Feb 2025
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Contents

      How To Resolve RealTheory Authorization Errors for an API Group

      • Updated on 16 Feb 2025
      • 1 Minute to read
      • Contributors
      • Print
      • Dark
        Light
      Article summary

      Background

      RealTheory runs as a service account in your Kubernetes cluster. By default, RealTheory has RBAC permissions for a limited set of API groups. If your environment uses non-standard API groups, Kubernetes will deny access requests from the RealTheory Collector and generate an audit event for each failed request. These events typically appear as Forbidden errors in logs and audit records and indicate that access was blocked due to insufficient permissions.

      Solution

      To augment the RBAC permissions within the RealTheory Collector deployment manifest for each cluster that contains non-standard API groups, you must add a ClusterRole for each API group to the ClusterRole section of the RealTheory deployment manifest.

      Procedure

      1. Locate the original deployment manifest, or simply regenerate the manifest from the RealTheory console in Settings > Agent > Deployment.

        Important: If you regenerate the manifest, ensure that you configure each option such as the cluster name, the cloud account identifier, the account owner, and the labels correctly to ensure consistency.

      2. Locate the cluster role grant section of the manifest:

        # The cluster role grants read only access to key API groups.  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
 name: object-reader  
rules:  
- apiGroups: [""]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [apps]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [metrics.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [storage.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]  
- apiGroups: [apiextensions.k8s.io]  
  resources: ["*"]  
  verbs: [get, watch, list]

      3. Add the following lines to the cluster role grant section of the deployment manifest for each non-standard API group in your environment:

        - apiGroups: [<api group name>]  
  resources: ["*"]  
  verbs: [get, watch, list]

        Where <api group name> is the API group that contains the resources you want RealTheory to be able to access.

      4. Save your changes.

      5. Re-apply the manifest by running the following command:

        kubectl apply -f <filename.yaml>

      Was this article helpful?
      What's Next
      RealTheory logo
      • The Kubernetes Intelligence Platform
      Support
      Follow Us
      Copyright © RealTheory, Inc. All Rights Reserved