Creating Dedicated Users and Roles for vSphere (Optional)

Page last updated:

This topic describes how to create dedicated users and roles for your vSphere environment before deploying VMware Tanzu Kubernetes Grid Integrated Edition.

Note: This topic provides security considerations for defining dedicated vSphere user accounts for use with Kubernetes cluster VMs provisioned by Tanzu Kubernetes Grid Integrated Edition. The information in this topic is only relevant if you do not want to use the vSphere administrator account for the Tanzu Kubernetes Grid Integrated Edition and Kubernetes cluster VMs. If you are comfortable using the vSphere administrator account for the TKGI and Kubernetes cluster VMs, skip this topic.

Overview

Before you install Tanzu Kubernetes Grid Integrated Edition on vSphere, you can prepare your vSphere environment by creating the required user accounts and configuring DNS for the TKGI API endpoint.

You can create the following service accounts in vSphere:

  • Master Node User Account for the Kubernetes control plane node VMs.
  • BOSH/Ops Manager User Account for BOSH Director operations.

WARNING: The TKGI Master Node User Account and BOSH/Ops Manager service accounts must be two separate accounts.

After creating the Master Node and BOSH/Ops Manager service accounts you must grant the accounts privileges in vSphere:

  • Master Node User Account: Kubernetes control plane node VMs require storage permissions to create load balancers and attach persistent disks to pods. Creating a custom role for this service account allows vSphere to apply the same privileges to all Kubernetes control plane node VMs in your Tanzu Kubernetes Grid Integrated Edition installation.

  • BOSH/Ops Manager User Account: BOSH Director requires permissions to create VMs. You can apply privileges directly to this service account without creating a role. You can also apply the default VMware Administrator System Role to this user account to achieve the appropriate permission level.

VMware recommends configuring each service account with the least permissive privileges and unique credentials.

Note: If your Kubernetes clusters span multiple vCenters, you must set the user account privileges correctly in each vCenter.

To prepare your vSphere environment, do the following:

  1. Create the Master Node Service Account
  2. Grant Storage Permissions
  3. Create the BOSH/Ops Manager Service Account
  4. Grant Permissions to the BOSH/Ops Manager Service Account
  5. Configure DNS for the TKGI API

Prerequisites

Before you prepare your vSphere environment, fulfill the prerequisites in vSphere Prerequisites and Resource Requirements.

Create the Master Node User Account

Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices.

  1. From the vCenter console, create a user account for Kubernetes cluster control plane VMs.

  2. Grant the following Virtual Machine Object privileges to the user account:

Privilege (UI)Privilege (API)
Virtual Machine > Advanced configuration VirtualMachine.Config.AdvancedConfig
Virtual Machine > Change Settings VirtualMachine.Config.Settings

Grant Storage Permissions

Kubernetes control plane node VM user accounts require the following:

  • Read access to the folder, host, and datacenter of the cluster node VMs
  • Permission to create and delete VMs within the resource pool where Tanzu Kubernetes Grid Integrated Edition is deployed

Grant these permissions to the control plane node user account based on your storage configuration using one of the procedures below:

The procedures in this topic use the following vCenter permissions objects:

  • Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices. For information about Virtual Machine Configuration see Virtual Machine Configuration Privileges in the VMware vSphere documentation.

  • Datastore privileges control the ability to browse, manage, and allocate space on datastores. For information about Datastore see Datastore Privileges in the VMware vSphere documentation.

  • Resource privileges control the creation and management of resource pools, as well as the migration of virtual machines. For information about Resource see Resource Privileges in the VMware vSphere documentation.

  • Storage Views privileges control privileges for Storage Monitoring Service APIs. Starting with vSphere 6.0, storage views are deprecated and these privileges no longer apply to them. For information about Storage Views see Storage Views Privileges in the VMware vSphere documentation. For more information about vSphere storage configurations, see vSphere Storage for Kubernetes in the VMware vSphere documentation.

For information about the vSphere virtual machine permissions API, see ReconfigVM_Task(reconfigure) in the vSphere Web Services API documentation.

Static Only Persistent Volume Provisioning

To configure your Kubernetes control plane node user account using static only Persistent Volume (PV) provisioning, do the following:

  1. Create a custom role that allows the service account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.

    1. Give this role a name. For example, manage-k8s-node-vms.
    2. Grant the following privileges at the VM Folder level using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk
      Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk
      Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice
      Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk
    3. Select the Propagate to Child Objects checkbox.

  2. (Optional) Create a custom role that allows the user account to manage Kubernetes volumes.

    Note: This role is required if you create a Persistent Volume Claim (PVC) to bind with a statically provisioned PV, and the reclaim policy is set to delete. When the PVC is deleted, the statically provisioned PV is also deleted.

    1. Give this role a name. For example, manage-k8s-volumes.
    2. Grant the following privilege at the Datastore level using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Datastore > Low level file operations Datastore.FileManagement
    3. Clear the Propagate to Child Objects checkbox.

  3. Grant the service account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels: This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:

    Privilege (UI)Privilege (API)
    Read-onlySystem.Anonymous
    System.Read
    System.View

  4. Continue to Create the BOSH/Ops Manager User Account.

Dynamic Persistent Volume Provisioning (with Storage Policy-Based Volume Placement)

To configure your Kubernetes control plane node user account using dynamic PV provisioning with storage policy-based placement, do the following:

  1. Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.

    1. Give this role a name. For example, manage-k8s-node-vms.
    2. Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Resource > Assign virtual machine to resource pool Resource.AssignVMToPool
      Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk
      Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk
      Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice
      Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk
      Virtual Machine > Create new VirtualMachine.Inventory.Create
      Virtual Machine > Remove VirtualMachine.Inventory.Remove
    3. Select the Propagate to Child Objects checkbox.

  2. Create a custom role that allows the user account to manage Kubernetes volumes.

    1. Give this role a name. For example, manage-k8s-volumes.
    2. Grant the following privileges using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Datastore > Allocate space Datastore.AllocateSpace
      Datastore > Low level file operations Datastore.FileManagement
    3. Clear the Propagate to Child Objects checkbox.

  3. Create a custom role that allows the user account to read the Kubernetes storage profile.

    1. Give this role a name. For example, k8s-system-read-and-spbm-profile-view.
    2. Grant the following privilege at the vCenter level using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Profile-driven storage viewStorageProfile.View
    3. Clear the Propagate to Child Objects checkbox.

  4. Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:

    Privilege (UI)Privilege (API)
    Read-onlySystem.Anonymous
    System.Read
    System.View

  5. Continue to Create the BOSH/Ops Manager Service Account.

Dynamic Volume Provisioning (without Storage Policy-Based Volume Placement)

To configure your Kubernetes control plane node user account using dynamic PV provisioning without storage policy-based placement, do the following:

  1. Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.

    1. Give this role a name. For example, manage-k8s-node-vms.
    2. Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Virtual Machine > Add existing disk VirtualMachine.Config.AddExistingDisk
      Virtual Machine > Add new disk VirtualMachine.Config.AddNewDisk
      Virtual Machine > Add or remove device VirtualMachine.Config.AddRemoveDevice
      Virtual Machine > Remove disk VirtualMachine.Config.RemoveDisk
    3. Select the Propagate to Child Objects checkbox.

  2. Create a custom role that allows the user account to manage Kubernetes volumes.

    1. Give this role a name. For example, manage-k8s-volumes.
    2. Grant the following privileges using either the vCenter UI or API:
      Privilege (UI)Privilege (API)
      Datastore > Allocate space Datastore.AllocateSpace
      Datastore > Low level file operations Datastore.FileManagement
    3. Clear the Propagate to Child Objects checkbox.

  3. Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:

    Privilege (UI)Privilege (API)
    Read-onlySystem.Anonymous
    System.Read
    System.View

Create the BOSH/Ops Manager User Account

  1. From the vCenter console, create the BOSH/Ops Manager User Account.
  2. If you are deploying both Tanzu Application Service (TAS) and TKGI within the same vSphere environment, create an additional BOSH/Ops Manager Service Account so that you have one account for TAS and a separate account for TKGI.

Grant Permissions to the BOSH/Ops Manager User Account

There are two options for granting permissions to the BOSH/Ops Manager Service Account(s):

  • Grant minimal permissions. Grant each BOSH/Ops Manager User Account the minimum required permissions as described in vSphere Service Account Requirements.

  • Grant Administrator Role permissions. Apply the default VMware Administrator Role to each BOSH/Ops Manager Service Account as described in vCenter Server System Roles .

    Warning: Applying the VMware Administrator Role to the BOSH/Ops Manager Service Account grants the account more privileges than are required. For optimal security always use the least privileged account.

Configure DNS for the TKGI API

Navigate to your DNS provider and create an entry for a fully qualified domain name (FQDN) within your system domain. For example, api.tkgi.example.com.

When you configure the Tanzu Kubernetes Grid Integrated Edition tile, enter this FQDN in the TKGI API pane.

After you deploy Tanzu Kubernetes Grid Integrated Edition, you map the IP address of the TKGI API to this FQDN. You can then use this FQDN to access the TKGI API from your local system.

Next Installation Step

To install and configure Ops Manager, follow the instructions in Installing and Configuring Ops Manager on vSphere.

Please send any feedback you have to pks-feedback@pivotal.io.