Why can't I view or work with my cluster?
Virtual Private Cloud Classic infrastructure
You are not able to find a cluster. When you run ibmcloud oc cluster ls
, the cluster is not listed in the output.
Or, you are not able to work with a cluster. When you run ibmcloud oc cluster config
or other cluster-specific commands, the cluster is not found.
In IBM Cloud, each resource must be in a resource group. For example, cluster mycluster
might exist in the default
resource group.
When the account owner gives you access to resources by assigning you an IBM Cloud IAM platform access role, the access can be to a specific resource or to the resource group. When you are given access to a specific resource, you don't have access to the resource group. In this case, you don't need to target a resource group to work with the clusters you have access to. If you target a different resource group than the group that the cluster is in, actions against that cluster can fail. Conversely, when you are given access to a resource as part of your access to a resource group, you must target a resource group to work with a cluster in that group. If you don't target your CLI session to the resource group that the cluster is in, actions against that cluster can fail.
If you can't find or work with a cluster, you might be experiencing one of the following issues:
- You have access to the cluster and the resource group that the cluster is in, but your CLI session is not targeted to the resource group that the cluster is in.
- You have access to the cluster, but not as part of the resource group that the cluster is in. Your CLI session is targeted to this or another resource group.
- You don't have access to the cluster.
To check your user access permissions:
-
List all your user permissions.
ibmcloud iam user-policies <your_user_name>
-
Check if you have access to the cluster and to the resource group that the cluster is in.
- Look for a policy that has a Resource Group Name value of the cluster's resource group and a Memo value of
Policy applies to the resource group
. If you have this policy, you have access to the resource group. For example, this policy indicates that a user has access to thetest-rg
resource group:Policy ID: 3ec2c069-fc64-4916-af9e-e6f318e2a16c Roles: Viewer Resources: Resource Group ID 50c9b81c983e438b8e42b2e8eca04065 Resource Group Name test-rg Memo Policy applies to the resource group
- Look for a policy that has a Resource Group Name value of the cluster's resource group, a Service Name value of
containers-kubernetes
or no value, and a Memo value ofPolicy applies to the resource(s) within the resource group
. If you this policy, you have access to clusters or to all resources within the resource group. For example, this policy indicates that a user has access to clusters in thetest-rg
resource group:Policy ID: e0ad889d-56ba-416c-89ae-a03f3cd8eeea Roles: Administrator Resources: Resource Group ID a8a12accd63b437bbd6d58fb6a462ca7 Resource Group Name test-rg Service Name containers-kubernetes Service Instance Region Resource Type Resource Memo Policy applies to the resource(s) within the resource group
- If you have both of these policies, skip to Step 4, first bullet. If you don't have the policy from Step 2a, but you do have the policy from Step 2b, skip to Step 4, second bullet. If you don't have either of these policies, continue to Step 3.
- Look for a policy that has a Resource Group Name value of the cluster's resource group and a Memo value of
-
Check if you have access to the cluster, but not as part of access to the resource group that the cluster is in.
- Look for a policy that has no values besides the Policy ID and Roles fields. If you have this policy, you have access to the cluster as part of access to the entire account. For example, this policy indicates
that a user has access to all resources in the account:
Policy ID: 8898bdfd-d520-49a7-85f8-c0d382c4934e Roles: Administrator, Manager Resources: Service Name Service Instance Region Resource Type Resource
- Look for a policy that has a Service Name value of
containers-kubernetes
and a Service Instance value of the cluster's ID. You can find a cluster ID by runningibmcloud oc cluster get --cluster <cluster_name>
. For example, this policy indicates that a user has access to a specific cluster:Policy ID: 140555ce-93ac-4fb2-b15d-6ad726795d90 Roles: Administrator Resources: Service Name containers-kubernetes Service Instance df253b6025d64944ab99ed63bb4567b6 Region Resource Type Resource
- If you have either of these policies, skip to the second bullet point of step 4. If you don't have either of these policies, skip to the third bullet point of step 4.
- Look for a policy that has no values besides the Policy ID and Roles fields. If you have this policy, you have access to the cluster as part of access to the entire account. For example, this policy indicates
that a user has access to all resources in the account:
-
Depending on your access policies, choose one of the following options.
- If you have access to the cluster and to the resource group that the cluster is in:
- Target the resource group. Note: You can't work with clusters in other resource groups until you change this resource group.
ibmcloud target -g <resource_group>
- Target the cluster.
ibmcloud oc cluster config --cluster <cluster_name_or_ID>
- Target the resource group. Note: You can't work with clusters in other resource groups until you change this resource group.
- If you have access to the cluster but not to the resource group that the cluster is in:
- Do not target a resource group. If you already targeted a resource group, remove the target.
ibmcloud target --unset-resource-group
- Target the cluster.
ibmcloud oc cluster config --cluster <cluster_name_or_ID>
- Do not target a resource group. If you already targeted a resource group, remove the target.
- If you don't have access to the cluster:
- Ask your account owner to assign an IBM Cloud IAM platform access role to you for that cluster.
- Do not target a resource group. If you already targeted a resource group, remove the target.
ibmcloud target --unset-resource-group
- Target the cluster.
ibmcloud oc cluster config --cluster <cluster_name_or_ID>
- If you have access to the cluster and to the resource group that the cluster is in: