This section outlines the Role Based Access Control (RBAC) that is associated with roles and rights required for tenants to perform the life cycle management of Native and TKGm clusters.
When VMware Cloud Director Container Service Extension 3.1 connects to either VMware Cloud Director 10.2 or VMware Cloud Director 10.3, it leverages the RBAC that comes with the VMware Cloud Director feature Defined Entity framework for Native and Tanzu Kubernetes Grid clusters. Only VMware Cloud Director Container Service Extension 3.1.4 can connect with VMware Cloud Director 10.4.
Grant rights to tenant users
This section details how to grant rights to tenant users for Native and Tanzu Kubernetes Grid clusters.
You can publish a right bundle to one or more organizations in your system. After you publish a right bundle to an organization, the rights in this bundle become part of the organization set of rights.
Organization rights can comprise multiple rights bundles, but the organization administrators and users see a flat set of rights that they can use to create and modify roles.
The right bundle is created automatically during VMware Cloud Director Container Service Extension server installation.
| Right bundle |
Title |
|---|---|
| Right bundle for Native cluster |
Note:
You can use this right bundle for TKGm clusters also. |
Five rights exist in each right bundle. To deploy Native or TKGm clusters, any custom role created with these rights must have at least the privileges of the pre-defined role vApp Author.
It is necessary to grant the cse:nativeCluster entitlement right bundles to the desired organizations and grant the admin-level defined entity type rights to the Tenant Administrator role. This action allows the organization administrator to assign the relevant cluster management rights to the desired tenant users. For more information about how to manage runtime defined entities, refer to Managing Defined Entities.
TKGm cluster management requires Full Control: CSE:NATIVECLUSTER right at the minimum from the cse:nativeCluster entitlement right bundle.
Additional required rights
This section outlines the crucial rights required for various components of the Native or Tanzu Kubernetes Grid cluster to function properly. These rights are separate from the basic RDE rights that are necessary to manage the life cycle of Native or Tanzu Kubernetes Grid clusters.
| Right | Native | TKG | Remarks |
|---|---|---|---|
| Catalog: View Published Catalogs | Optional | Optional | Required by non admin tenant users to access CSE catalog |
| API Tokens: Manage | N/A | Required | Required by CPI for VCD to function properly |
| Organization vDC Gateway: View | Optional | Required | Required by CPI for VCD to function properly, Required to deploy exposed clusters |
| Organization vDC Gateway: View NAT | Optional | Required | Required by CPI for VCD to function properly, Required to deploy exposed clusters |
| Organization vDC Gateway: Configure NAT | Optional | Required | Required by CPI for VCD to function properly, Required to deploy exposed clusters |
| Organization vDC Gateway: View Load Balancer | N/A | Required | Required by CPI for VCD to function properly |
| Organization vDC Gateway: Configure Load Balancer | N/A | Required | Required by CPI for VCD to function properly |
| Organization vDC Shared Named Disk: Create | N/A | Required | Required by CSI for VCD to function properly |
