How To Resolve RealTheory Authorization Errors for an API Group

Background

RealTheory runs as a service account in your Kubernetes cluster. By default, RealTheory has RBAC permissions for a limited set of API groups. If your environment uses non-standard API groups, Kubernetes will deny access requests from the RealTheory Collector and generate an audit event for each failed request. These events typically appear as Forbidden errors in logs and audit records and indicate that access was blocked due to insufficient permissions.

Solution

To augment the RBAC permissions within the RealTheory Collector deployment manifest for each cluster that contains non-standard API groups, you must add a ClusterRole for each API group to the ClusterRole section of the RealTheory deployment manifest.

Procedure

1. Locate the original deployment manifest, or simply regenerate the manifest from the RealTheory console in Settings > Agent > Deployment.
   ,Important: If you regenerate the manifest, ensure that you configure each option, such as the cluster name, the cloud account identifier, the account owner, and the labels correctly to ensure consistency.
2. Locate the cluster role grant section of the manifest:

1# The cluster role grants read only access to key API groups.