Kubeadmin has no rights in ovtools

[mlacko64]

Good day,
I installed ovtools on cluster and logged in via kubeadmin user, but dashboard is empty. When I created another user and gave him cluster admin rights, all worked fine.

Logs from ovtools containers:

Thank for looking into this.

[ocpadmin@defrsovb01 ~]$ oc get pods
NAME                       READY   STATUS    RESTARTS   AGE
ovtools-7557fd699f-t6bm5   2/2     Running   0          55s
[ocpadmin@defrsovb01 ~]$

[ocpadmin@defrsovb01 ~]$ oc logs ovtools-7557fd699f-t6bm5
Defaulted container "oauth-proxy" out of: oauth-proxy, ovtools
2026/05/15 15:31:54 provider.go:129: Defaulting client-id to system:serviceaccount:ovtools:ovtools
2026/05/15 15:31:54 provider.go:134: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token
2026/05/15 15:31:54 oauthproxy.go:210: mapping path "/" => upstream "http://127.0.0.1:8080/"
2026/05/15 15:31:54 oauthproxy.go:231: compiled skip-auth-regex => "^/healthz$"
2026/05/15 15:31:54 oauthproxy.go:237: OAuthProxy configured for  Client ID: system:serviceaccount:ovtools:ovtools
2026/05/15 15:31:54 oauthproxy.go:247: Cookie settings: name:_oauth_proxy secure(https):true httponly:true expiry:168h0m0s domain:<default> samesite: refresh:disabled
I0515 15:31:54.552295       1 dynamic_serving_content.go:132] "Starting controller" name="serving::/etc/tls/private/tls.crt::/etc/tls/private/tls.key"
2026/05/15 15:31:54 http.go:110: HTTPS: listening on [::]:8443
2026/05/15 15:31:54 http.go:64: HTTP: listening on 127.0.0.1:4180
2026/05/15 15:32:11 provider.go:631: Performing OAuth discovery against https://172.30.0.1/.well-known/oauth-authorization-server
2026/05/15 15:32:11 provider.go:671: 200 GET https://172.30.0.1/.well-known/oauth-authorization-server {
  "issuer": "https://oauth-openshift.apps.deovhcp01.example.com",
  "authorization_endpoint": "https://oauth-openshift.apps.deovhcp01.example.com/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.deovhcp01.example.com/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
2026/05/15 15:32:33 provider.go:631: Performing OAuth discovery against https://172.30.0.1/.well-known/oauth-authorization-server
2026/05/15 15:32:33 provider.go:671: 200 GET https://172.30.0.1/.well-known/oauth-authorization-server {
  "issuer": "https://oauth-openshift.apps.deovhcp01.example.com",
  "authorization_endpoint": "https://oauth-openshift.apps.deovhcp01.example.com/oauth/authorize",
  "token_endpoint": "https://oauth-openshift.apps.deovhcp01.example.com/oauth/token",
  "scopes_supported": [
    "user:check-access",
    "user:full",
    "user:info",
    "user:list-projects",
    "user:list-scoped-projects"
  ],
  "response_types_supported": [
    "code",
    "token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}
2026/05/15 15:32:33 provider.go:671: 200 GET https://172.30.0.1/apis/user.openshift.io/v1/users/~ {"kind":"User","apiVersion":"user.openshift.io/v1","metadata":{"name":"kube:admin","creationTimestamp":null},"groups":["system:authenticated","system:cluster-admins"]}
2026/05/15 15:32:33 oauthproxy.go:691: 172.17.2.2:46018 authentication complete Session{kube:admin@cluster.local token:true}
[ocpadmin@defrsovb01 ~]$ 

[ocpadmin@defrsovb01 ~]$ oc logs -c ovtools ovtools-7557fd699f-t6bm5
2026/05/15 15:31:54 main.go:26: ovtools 0.3.2 starting
2026/05/15 15:31:54 main.go:27: Server listening on http://127.0.0.1:8080
2026/05/15 15:32:33 client.go:540: Starting background pre-fetch with min interval 48s
2026/05/15 15:32:33 client.go:544: Pre-fetch: initial data load starting...
2026/05/15 15:32:33 client.go:548: Pre-fetch: initial data load complete (took 5.919534ms)
2026/05/15 15:32:33 handlers_dashboard.go:93: dashboard: failed to get PVCs: listing PVCs: persistentvolumeclaims is forbidden: User "kube:admin" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope
2026/05/15 15:32:33 handlers_dashboard.go:57: dashboard: failed to get nodes: listing nodes: nodes is forbidden: User "kube:admin" cannot list resource "nodes" in API group "" at the cluster scope
2026/05/15 15:32:33 handlers_dashboard.go:84: dashboard: failed to get datastores: listing PVCs: persistentvolumeclaims is forbidden: User "kube:admin" cannot list resource "persistentvolumeclaims" in API group "" at the cluster scope
2026/05/15 15:32:33 handlers_dashboard.go:66: dashboard: failed to get snapshots: listing snapshots: virtualmachinesnapshots.snapshot.kubevirt.io is forbidden: User "kube:admin" cannot list resource "virtualmachinesnapshots" in API group "snapshot.kubevirt.io" at the cluster scope
2026/05/15 15:32:33 handlers_dashboard.go:48: dashboard: failed to get VMs: listing VMs: virtualmachines.kubevirt.io is forbidden: User "kube:admin" cannot list resource "virtualmachines" in API group "kubevirt.io" at the cluster scope
[ocpadmin@defrsovb01 ~]$