Creating Dedicated Users and Roles for vSphere (Optional)
Page last updated:
This topic describes how to create dedicated users and roles for your vSphere environment before deploying VMware Tanzu Kubernetes Grid Integrated Edition.
Note: This topic provides security considerations for defining dedicated vSphere user accounts for use with Kubernetes cluster VMs provisioned by Tanzu Kubernetes Grid Integrated Edition. The information in this topic is only relevant if you do not want to use the vSphere administrator account for the Tanzu Kubernetes Grid Integrated Edition and Kubernetes cluster VMs. If you are comfortable using the vSphere administrator account for the TKGI and Kubernetes cluster VMs, skip this topic.
Overview
Before you install Tanzu Kubernetes Grid Integrated Edition on vSphere, you can prepare your vSphere environment by creating the required user accounts and configuring DNS for the TKGI API endpoint.
You can create the following service accounts in vSphere:
- Master Node User Account for the Kubernetes control plane node VMs.
- BOSH/Ops Manager User Account for BOSH Director operations.
WARNING: The TKGI Master Node User Account and BOSH/Ops Manager service accounts must be two separate accounts.
After creating the Master Node and BOSH/Ops Manager service accounts you must grant the accounts privileges in vSphere:
Master Node User Account: Kubernetes control plane node VMs require storage permissions to create load balancers and attach persistent disks to pods. Creating a custom role for this service account allows vSphere to apply the same privileges to all Kubernetes control plane node VMs in your Tanzu Kubernetes Grid Integrated Edition installation.
BOSH/Ops Manager User Account: BOSH Director requires permissions to create VMs. You can apply privileges directly to this service account without creating a role. You can also apply the default VMware Administrator System Role to this user account to achieve the appropriate permission level.
VMware recommends configuring each service account with the least permissive privileges and unique credentials.
Note: If your Kubernetes clusters span multiple vCenters, you must set the user account privileges correctly in each vCenter.
To prepare your vSphere environment, do the following:
- Create the Master Node Service Account
- Grant Storage Permissions
- Create the BOSH/Ops Manager Service Account
- Grant Permissions to the BOSH/Ops Manager Service Account
- Configure DNS for the TKGI API
Prerequisites
Before you prepare your vSphere environment, fulfill the prerequisites in vSphere Prerequisites and Resource Requirements.
Create the Master Node User Account
Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices.
From the vCenter console, create a user account for Kubernetes cluster control plane VMs.
Grant the following Virtual Machine Object privileges to the user account:
Privilege (UI) | Privilege (API) |
---|---|
Virtual Machine > Advanced configuration | VirtualMachine.Config.AdvancedConfig |
Virtual Machine > Change Settings | VirtualMachine.Config.Settings |
Grant Storage Permissions
Kubernetes control plane node VM user accounts require the following:
- Read access to the folder, host, and datacenter of the cluster node VMs
- Permission to create and delete VMs within the resource pool where Tanzu Kubernetes Grid Integrated Edition is deployed
Grant these permissions to the control plane node user account based on your storage configuration using one of the procedures below:
- Static Only Persistent Volume Provisioning
- Dynamic Persistent Volume Provisioning (with Storage Policy-Based Volume Placement)
- Dynamic Persistent Volume Provisioning (without Storage Policy-Based Volume Placement)
The procedures in this topic use the following vCenter permissions objects:
Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices. For information about Virtual Machine Configuration see Virtual Machine Configuration Privileges in the VMware vSphere documentation.
Datastore privileges control the ability to browse, manage, and allocate space on datastores. For information about Datastore see Datastore Privileges in the VMware vSphere documentation.
Resource privileges control the creation and management of resource pools, as well as the migration of virtual machines. For information about Resource see Resource Privileges in the VMware vSphere documentation.
Storage Views privileges control privileges for Storage Monitoring Service APIs. Starting with vSphere 6.0, storage views are deprecated and these privileges no longer apply to them. For information about Storage Views see Storage Views Privileges in the VMware vSphere documentation. For more information about vSphere storage configurations, see vSphere Storage for Kubernetes in the VMware vSphere documentation.
For information about the vSphere virtual machine permissions API, see ReconfigVM_Task(reconfigure) in the vSphere Web Services API documentation.
Static Only Persistent Volume Provisioning
To configure your Kubernetes control plane node user account using static only Persistent Volume (PV) provisioning, do the following:
Create a custom role that allows the service account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
- Give this role a name. For example,
manage-k8s-node-vms
. - Grant the following privileges at the VM Folder level using either the vCenter UI or API:
Privilege (UI) Privilege (API) Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk - Select the Propagate to Child Objects checkbox.
- Give this role a name. For example,
(Optional) Create a custom role that allows the user account to manage Kubernetes volumes.
Note: This role is required if you create a Persistent Volume Claim (PVC) to bind with a statically provisioned PV, and the reclaim policy is set to delete. When the PVC is deleted, the statically provisioned PV is also deleted.
- Give this role a name. For example,
manage-k8s-volumes
. - Grant the following privilege at the Datastore level using either the vCenter UI or API:
Privilege (UI) Privilege (API) Datastore > Low level file operations Datastore.FileManagement - Clear the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Grant the service account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels: This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) Privilege (API) Read-only System.Anonymous System.Read System.View Continue to Create the BOSH/Ops Manager User Account.
Dynamic Persistent Volume Provisioning (with Storage Policy-Based Volume Placement)
To configure your Kubernetes control plane node user account using dynamic PV provisioning with storage policy-based placement, do the following:
Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
- Give this role a name. For example,
manage-k8s-node-vms
. - Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
Privilege (UI) Privilege (API) Resource > Assign virtual machine to resource pool Resource.AssignVMToPool Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk Virtual Machine > Create new VirtualMachine.Inventory.Create Virtual Machine > Remove VirtualMachine.Inventory.Remove - Select the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Create a custom role that allows the user account to manage Kubernetes volumes.
- Give this role a name. For example,
manage-k8s-volumes
. - Grant the following privileges using either the vCenter UI or API:
Privilege (UI) Privilege (API) Datastore > Allocate space Datastore.AllocateSpace Datastore > Low level file operations Datastore.FileManagement - Clear the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Create a custom role that allows the user account to read the Kubernetes storage profile.
- Give this role a name. For example,
k8s-system-read-and-spbm-profile-view
. - Grant the following privilege at the vCenter level using either the vCenter UI or API:
Privilege (UI) Privilege (API) Profile-driven storage view StorageProfile.View - Clear the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) Privilege (API) Read-only System.Anonymous System.Read System.View Continue to Create the BOSH/Ops Manager Service Account.
Dynamic Volume Provisioning (without Storage Policy-Based Volume Placement)
To configure your Kubernetes control plane node user account using dynamic PV provisioning without storage policy-based placement, do the following:
Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
- Give this role a name. For example,
manage-k8s-node-vms
. - Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
Privilege (UI) Privilege (API) Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk - Select the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Create a custom role that allows the user account to manage Kubernetes volumes.
- Give this role a name. For example,
manage-k8s-volumes
. - Grant the following privileges using either the vCenter UI or API:
Privilege (UI) Privilege (API) Datastore > Allocate space Datastore.AllocateSpace Datastore > Low level file operations Datastore.FileManagement - Clear the Propagate to Child Objects checkbox.
- Give this role a name. For example,
Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) Privilege (API) Read-only System.Anonymous System.Read System.View
Create the BOSH/Ops Manager User Account
- From the vCenter console, create the BOSH/Ops Manager User Account.
- If you are deploying both Tanzu Application Service (TAS) and TKGI within the same vSphere environment, create an additional BOSH/Ops Manager Service Account so that you have one account for TAS and a separate account for TKGI.
Grant Permissions to the BOSH/Ops Manager User Account
There are two options for granting permissions to the BOSH/Ops Manager Service Account(s):
- Grant minimal permissions. Grant each BOSH/Ops Manager User Account the minimum required permissions as described in
vSphere Service Account Requirements.
Grant Administrator Role permissions. Apply the default VMware Administrator Role to each BOSH/Ops Manager Service Account as described in vCenter Server System Roles .
Warning: Applying the VMware Administrator Role to the BOSH/Ops Manager Service Account grants the account more privileges than are required. For optimal security always use the least privileged account.
Configure DNS for the TKGI API
Navigate to your DNS provider and create an entry for a fully qualified domain name (FQDN) within your system domain. For example, api.tkgi.example.com
.
When you configure the Tanzu Kubernetes Grid Integrated Edition tile, enter this FQDN in the TKGI API pane.
After you deploy Tanzu Kubernetes Grid Integrated Edition, you map the IP address of the TKGI API to this FQDN. You can then use this FQDN to access the TKGI API from your local system.
Next Installation Step
To install and configure Ops Manager, follow the instructions in Installing and Configuring Ops Manager on vSphere.
Please send any feedback you have to pks-feedback@pivotal.io.