Working with Kubernetes Clusters in Your VMware Cloud Director Tenant Portal

To enable tenants with provisioned Kubernetes clusters to deploy container applications from configured VMware Marketplace and Helm chart repository content resources into VMware Cloud Director catalogs, you must install the Kubernetes operator.

Configuration of the Kubernetes Cluster Owner

The Kubernetes cluster owner is the tenant user that deploys and has administrative control over a Kubernetes cluster.

The Kubernetes operator uses the API token of the Kubernetes cluster owner for communication with VMware Cloud Director and for carrying out container application management operations.

To enable the installation of the Kubernetes operator, an organization administrator must first assign additional permissions to the owner of the Kubernetes cluster where the operator is going to be installed.

Using the VMware Cloud Director Tenant Portal, you can view the Content Hub operator version and whether the version is up to date, deprecated, not supported, or there is an available update.

Install a Kubernetes Operator in Your VMware Cloud Director Tenant Portal

To deploy container applications from external content sources, in VMware Cloud Director Tenant Portal, you must install a Kubernetes operator.

Prerequisites

Verify that the owner of the Kubernetes cluster, where you are installing the operator, has the following permissions.
- All rights from the global Kubernetes Cluster Author role. The Kubernetes Cluster Author role is automatically created during the VMware Cloud Director Container Service Extension server configuration process. For more information, see the VMware Cloud Director Container Service Extension documentation.
- Full management control of the Kubernetes cluster.
- The additional VMware Cloud Director rights: Manage Container App, Reconcile Container App, and Full Control: VMWARE: KUBECLUSTEREXTENSION.
Verify that you have full administrative control of the Kubernetes cluster, where you are installing the Kubernetes operator, and the Full Control: VMWARE:CAPVCDCLUSTER and View: VMWARE: KUBECLUSTEREXTENSION rights.

Procedure

From the primary left navigation panel, select Content Hub.
From the secondary left panel, select Kubernetes Clusters.
Click the radio button next to the Kubernetes cluster on which you want to install the Kubernetes operator, and click Install Operator.

Select the type of the source location for the Kubernetes operator package.

Option	Description
VMware Registry	If the Kubernetes cluster has access to the Internet, you can install the Kubernetes operator by using the official Content Hub Kubernetes operator package from the public VMware container registry.
Custom Registry	If the Kubernetes cluster does not have access to the Internet, install the Kubernetes operator by using a custom registry. You must clone the official Content Hub Kubernetes operator package from the public VMware container registry to your custom registry. The Content Hub Kubernetes operator package must be in the Carvel format and you must use the Carvel imgpkg tool for cloning the package. For information about the imgpkg tool, see the Carvel imgpkg documentation. Note: To use custom registry, copy the version of the official Content Hub Kubernetes operator package from the public VMware container registry.

Option

Description

VMware Registry

If the Kubernetes cluster has access to the Internet, you can install the Kubernetes operator by using the official Content Hub Kubernetes operator package from the public VMware container registry.

Custom Registry

If the Kubernetes cluster does not have access to the Internet, install the Kubernetes operator by using a custom registry.

You must clone the official Content Hub Kubernetes operator package from the public VMware container registry to your custom registry. The Content Hub Kubernetes operator package must be in the Carvel format and you must use the Carvel imgpkg tool for cloning the package. For information about the imgpkg tool, see the Carvel imgpkg documentation.

Note: To use custom registry, copy the version of the official Content Hub Kubernetes operator package from the public VMware container registry.

If you want to use a custom registry, enter the path to the custom registry that stores the cloned Content Hub Kubernetes operator package, and the version of the official Content Hub Kubernetes operator package from the public VMware container registry.
Click Install Operator.

Results

After the successful installation, VMware Cloud Director creates two namespaces within the Kubernetes cluster. In the first namespace, vcd-contenthub-system, VMware Cloud Director installs the Content Hub operator manager. The second namespace, vcd-contenthub-workloads, remains empty. VMware Cloud Director uses this namespace to deploy container applications at a later stage.

Edit a Kubernetes Operator in Your VMware Cloud Director Tenant Portal

Using the VMware Cloud Director Tenant Portal, you can update the package location and redeploy the Kubernetes operator.

Successfully updating the location and version of the Kubernetes operator automatically redeploys the operator.

Prerequisites

Verify that the owner of the Kubernetes cluster, where you are installing the operator, has the following permissions.
- All rights from the global Kubernetes Cluster Author role. The Kubernetes Cluster Author role is automatically created during the VMware Cloud Director Container Service Extension server configuration process. For more information, see the VMware Cloud Director Container Service Extension documentation.
- Full management control of the Kubernetes cluster.
- The additional VMware Cloud Director rights: Manage Container App, Reconcile Container App, and Full Control: VMWARE: KUBECLUSTEREXTENSION.
Verify that you have full administrative control of the Kubernetes cluster, where you are installing the Kubernetes operator, and the Full Control: VMWARE:CAPVCDCLUSTER and View: VMWARE: KUBECLUSTEREXTENSION rights.

Procedure

From the primary left navigation panel, select Content Hub.
From the secondary left panel, select Kubernetes Clusters.
Click the radio button next to the Kubernetes cluster on which you want to update the Kubernetes operator, and click Edit Operator.

Select the type of the source location for the Kubernetes operator package.

Option	Description
VMware Registry	If the Kubernetes cluster has access to the Internet, you can install the Kubernetes operator by using the official Content Hub Kubernetes operator package from the public VMware container registry.
Custom Registry	If the Kubernetes cluster does not have access to the Internet, install the Kubernetes operator by using a custom registry. You must clone the official Content Hub Kubernetes operator package from the public VMware container registry to your custom registry. The Content Hub Kubernetes operator package must be in the Carvel format and you must use the Carvel imgpkg tool for cloning the package. For information about the imgpkg tool, see the Carvel imgpkg documentation. Note: To use custom registry, copy the version of the official Content Hub Kubernetes operator package from the public VMware container registry.

Option

Description

VMware Registry

If the Kubernetes cluster has access to the Internet, you can install the Kubernetes operator by using the official Content Hub Kubernetes operator package from the public VMware container registry.

Custom Registry

If the Kubernetes cluster does not have access to the Internet, install the Kubernetes operator by using a custom registry.

Note: To use custom registry, copy the version of the official Content Hub Kubernetes operator package from the public VMware container registry.

If you want to use a custom registry, enter the path to the custom registry that stores the cloned Content Hub Kubernetes operator package, and the version of the official Content Hub Kubernetes operator package from the public VMware container registry.
Click Edit Operator.

Uninstall a Kubernetes Operator from Your VMware Cloud Director Tenant Portal

You can delete the Kubernetes operator and all container applications it manages from the VMware Cloud Director Tenant Portal by uninstalling the operator.

After uninstalling the Kubernetes operator from Content Hub, you must delete the Kubernetes operator namespaces and resources from the Kubernetes cluster.

Prerequisites

Verify that the owner of the Kubernetes cluster, where you are installing the operator, has the following permissions.
- All rights from the global Kubernetes Cluster Author role. The Kubernetes Cluster Author role is automatically created during the VMware Cloud Director Container Service Extension server configuration process. For more information, see the VMware Cloud Director Container Service Extension documentation.
- Full management control of the Kubernetes cluster.
- The additional VMware Cloud Director rights: Manage Container App, Reconcile Container App, and Full Control: VMWARE: KUBECLUSTEREXTENSION.
Verify that you have full administrative control of the Kubernetes cluster, where you are installing the Kubernetes operator, and the Full Control: VMWARE:CAPVCDCLUSTER and View: VMWARE: KUBECLUSTEREXTENSION rights.

Procedure

From the primary left navigation panel, select Content Hub.
From the secondary left panel, select Kubernetes Clusters.
Click the radio button next to the Kubernetes cluster from which you want to remove the Kubernetes operator, and click Uninstall Operator.
Copy the commands for the deletion of the Kubernetes operator namespaces and resources by clicking Copy to clipboard.
Click Uninstall.

kubectl delete pkgi vcd-contenthuboperator-install -n vcd-contenthub-system
kubectl delete clusterrole vcd-contenthuboperator-install
kubectl delete clusterrolebinding vcd-contenthuboperator-install
kubectl delete ns vcd-contenthub-workloads
kubectl delete ns vcd-contenthub-system

Note:

To prevent leaving unused resources on the cluster, wait for the operation to complete.

Manage the User Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal

To grant or restrict access to a Kubernetes cluster, you can change the user access levels or remove user permissions.

Prerequisites

Verify that you have permissions on the Kubernetes cluster. You must have one of the following permission levels:
- Granted Administrator Full Control: VMWARE: CAPVCDCLUSTER right
- Granted Full Control: VMWARE: CAPVCDCLUSTER right and Full Control cluster entity ACL entry.
See Manage the User Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal and Manage the Namespace Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal.

Procedure

From the primary left navigation panel, select Content Hub.
From the secondary left panel, select Kubernetes Clusters.
Click the name of the Kubernetes cluster you want to manage.
The Kubernetes cluster overview page appears.
Select the Users page-level tab.

To change the user access to the Kubernetes cluster, click Manage Access, and from the Access level drop-down menu, select the access level that you want each user to have, and click Save.

The list shows the users in the organization. By default, the users do not have access to the Kubernetes clusters. Users without any access level cannot see the Kubernetes cluster.

Option	Description
Read Only	Users with this access level can see the Kubernetes cluster.
Read/Write	Users with this access level can manage the cluster.
Full Control	Users with this access level can manage the cluster and namespace sharing options and can deploy applications to any namespace.

To remove a user's access to the Kubernetes cluster, click the vertical ellipsis () on the left of the user name, click Remove Access, and confirm the action.
You cannot remove the access of the owner of the cluster.

Manage the Namespace Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal

You can use namespaces to divide and isolate cluster resources between the users of your organization.

Prerequisites

Verify that you have the Manage Kubernetes Namespace ACL right.
Verify that you have permissions on the Kubernetes cluster. You must have one of the following permission levels:
- Granted Administrator Full Control: VMWARE: CAPVCDCLUSTER right
- Granted Full Control: VMWARE: CAPVCDCLUSTER right and Full Control ACL of the target Kubernetes cluster
See Manage the User Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal and Manage the Namespace Access to a Kubernetes Cluster in Your VMware Cloud Director Tenant Portal.

Procedure

From the primary left navigation panel, select Content Hub.
From the secondary left panel, select Kubernetes Clusters.
Click the name of the Kubernetes cluster you want to manage.
The Kubernetes cluster overview page appears.
Select the Namespaces page-level tab.
To share a namespace with a user, click the vertical ellipsis () on the left of the namespace, click Share
Select or deselect the users that you want to have access or not have access to the namespace, and click Save.
If you select a user that does not have the View: VMWARE: CAPVCDCLUSTER right, they will not be able to see the cluster.