# Troubleshooting kubectl permissions and namespace issues with DuploCloud

When using kubectl with DuploCloud's duplo-jit authentication, you may encounter permission errors or "not found" errors when trying to access pods, deployments, or logs. This is typically due to namespace configuration issues. Understanding DuploCloud Namespaces In DuploCloud, your service account is scoped to a specific tenant namespace, not the default Kubernetes namespace. The namespace follows the pattern duploservices-{tenant-name} . For example, if your tenant is dev01-brook , your namespace would be duploservices-dev01-brook . Common Issues and Solutions Permission Denied Errors If you see errors like: Error from server (Forbidden): deployments.apps "my-app" is forbidden: User "system:serviceaccount:duploservices-dev01-brook:duploservices-dev01-brook-edit-user" cannot get resource "deployments" This usually means you're targeting the wrong namespace. Make sure you're using the correct DuploCloud tenant namespace. Resource Not Found Errors If you see "not found" errors, verify that: You're using the correct namespace The deployment/pod name is correct Correct kubectl Usage When using kubectl with DuploCloud, you have two options: Option 1: Specify the namespace explicitly kubectl --kubeconfig \~/.kube/config-dev-new-duplo.yaml -n duploservices-{tenant-name} get pods Option 2: Omit the namespace (recommended) Since everything in your tenant is in the same namespace, you can omit the -n flag entirely: kubectl --kubeconfig \~/.kube/config-dev-new-duplo.yaml get podskubectl --kubeconfig \~/.kube/config-dev-new-duplo.yaml logs deployment/my-app --since=20m Alternative Access Methods If you continue to have issues with local kubectl, you can also: Use the DuploCloud UI: Access the KubeCtl Shell directly from the DuploCloud interface Use Kibana: View logs across applications using the deployed Kibana dashboard with OpenSearch Both of these methods will have the same permissions as your duplo-jit kubectl configuration.