# Troubleshooting

## What are permission levels?

KuboVisor currently supports two different set of permissions to analyze your cluster:

* limited write permissions
* read-only permissions

With **limited write permissions**, KuboVisor has **read-only access** to all deployed resources on your cluster, in all namespaces. Additionally, **read-write access to pods in a specific namespace is granted**. We won’t be able to temper with resources outside of this namespace, only see them.

With **read-only permissions**, KuboVisor has **read-only access** to all deployed resources on your cluster, in all namespaces. We won’t be able to temper with resources, only see them.

{% hint style="info" %}
For extended details on permission levels, refer to the [cloud installation manual setup](/getting-started/kubovisor/cloud-mode/manual-setup.md) specific instructions.
{% endhint %}

## Is my cluster network access restriction supported?

In order to use KuboVisor with your cluster, we need to be able to reach it. Below are the network restrictions that we currently support:

| Restriction       |         Cloud        |         Agent        | Comment                                                                                            |
| ----------------- | :------------------: | :------------------: | -------------------------------------------------------------------------------------------------- |
| None              | :white\_check\_mark: | :white\_check\_mark: | You don’t have anything more to do!                                                                |
| Network whitelist | :white\_check\_mark: | :white\_check\_mark: | <p>Add the following IP to the list of authorized networks:<br><strong>34.141.253.143</strong></p> |
| SSH bastion       | :white\_check\_mark: | :white\_check\_mark: | [**Learn how you can grant us access**](/guides/grant-access-to-a-private-network.md)              |
| Fully private     |          :x:         | :white\_check\_mark: | Only supported with [**KuboVisor local agent**](/getting-started/kubovisor/agent-mode.md)          |

## Agent Helm chart issues

### Cloud mode conflicting resources

If you have the following error:

```bash
Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "ksa-kubovisor" in namespace "kubovisor" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "kubovisor-agent"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "kubovisor"
```

It indicates that resources that would be created by the Helm chart already exists in the cluster, but are not managed by Helm.

In this case, it indicates that KuboVisor is already configured for [cloud mode](/getting-started/kubovisor/cloud-mode.md) in this Namespace.

If this is not your installation, contact your cluster administrator. If this is your installation and you wish to use KuboVisor agent instead of cloud mode, you can follow these steps:

1. Delete the cluster on which you want to install the agent from KuboVisor.
2. Delete the following resources from the Namespace where you want to install the agent.

{% hint style="warning" %}
Make sure that your current context is set to the right Namespace, or add `--namespace myns` to all the following commands, replacing `myns` by the Namespace name.
{% endhint %}

ServiceAccount `ksa-kubovisor`:

```bash
kubectl delete sa ksa-kubovisor
```

Role `kubovisor-limited`:

```bash
kubectl delete role kubovisor-limited
```

RoleBinding `kubovisor-limited`:

```bash
kubectl delete rolebinding kubovisor-limited
```

3. Once all these resources are deleted, you can [install the agent](/getting-started/kubovisor/agent-mode.md).

### Multiple KuboVisor agent releases

If you have the following error:

```bash
Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: ServiceAccount "ksa-kubovisor" in namespace "kubovisor" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "kubovisor-agent2": current value is "kubovisor-agent"
```

It indicates that another Helm release of KuboVisor agent is installed on the cluster in this Namespace. You can list installed Helm releases with:

```bash
helm list
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.kubolabs.io/getting-started/kubovisor/troubleshooting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.