This topic describes how to create dedicated users and roles for your vSphere environment before deploying VMware Tanzu Kubernetes Grid Integrated Edition (TKGI).
Note: This topic provides security considerations for defining dedicated vSphere user accounts for use with Kubernetes cluster VMs provisioned by Tanzu Kubernetes Grid Integrated Edition. The information in this topic is only relevant if you do not want to use the vSphere administrator account for the Tanzu Kubernetes Grid Integrated Edition and Kubernetes cluster VMs. If you are comfortable using the vSphere administrator account for the TKGI and Kubernetes cluster VMs, skip this topic.
Before you install Tanzu Kubernetes Grid Integrated Edition on vSphere, you can prepare your vSphere environment by creating the required user accounts and configuring DNS for the TKGI API endpoint.
You can create the following service accounts in vSphere:
WARNING: The TKGI Master Node User Account and BOSH/Ops Manager service accounts must be two separate accounts.
After creating the Master Node and BOSH/Ops Manager service accounts you must grant the accounts privileges in vSphere:
Master Node User Account: Kubernetes control plane node VMs require storage permissions to create load balancers and attach persistent disks to pods. Creating a custom role for this service account allows vSphere to apply the same privileges to all Kubernetes control plane node VMs in your Tanzu Kubernetes Grid Integrated Edition installation.
BOSH/Ops Manager User Account: BOSH Director requires permissions to create VMs. You can apply privileges directly to this service account without creating a role. You can also apply the default VMware Administrator System Role to this user account to achieve the appropriate permission level.
VMware recommends configuring each service account with the least permissive privileges and unique credentials.
Note: If your Kubernetes clusters span multiple vCenters, you must set the user account privileges correctly in each vCenter.
To prepare your vSphere environment, do the following:
Before you prepare your vSphere environment, fulfill the prerequisites in vSphere Prerequisites and Resource Requirements.
Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices.
From the vCenter console, create a user account for Kubernetes cluster control plane VMs.
Grant the following Virtual Machine Object privileges to the user account:
Privilege (UI) | Privilege (API) |
---|---|
Virtual Machine > Advanced configuration | VirtualMachine.Config.AdvancedConfig |
Virtual Machine > Change Settings | VirtualMachine.Config.Settings |
Kubernetes control plane node VM user accounts require the following:
Grant these permissions to the control plane node user account based on your storage configuration using one of the procedures below:
The procedures in this topic use the following vCenter permissions objects:
Virtual Machine Configuration privileges control the ability to configure virtual machine options and devices. For information about Virtual Machine Configuration, see Virtual Machine Configuration Privileges in the VMware vSphere documentation.
Datastore privileges control the ability to browse, manage, and allocate space on datastores. For information about Datastore, see Datastore Privileges in the VMware vSphere documentation.
Resource privileges control the creation and management of resource pools, and the migration of virtual machines. For information about Resource, see Resource Privileges in the VMware vSphere documentation.
Storage Views privileges control privileges for Storage Monitoring Service APIs. Starting with vSphere 6.0, storage views are deprecated and these privileges no longer apply to them. For information about Storage Views, see Storage Views Privileges in the VMware vSphere documentation. For more information about vSphere storage configurations, see vSphere Storage for Kubernetes in the VMware vSphere documentation.
For information about the vSphere virtual machine permissions API, see ReconfigVM_Task(reconfigure) in the vSphere Web Services API documentation.
To configure your Kubernetes control plane node user account using static only Persistent Volume (PV) provisioning, do the following:
Create a custom role that allows the service account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
manage-k8s-node-vms
.Grant the following privileges at the VM Folder level using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Virtual Machine > Add existing disk | VirtualMachine.Config.AddExistingDisk |
Virtual Machine > Add new disk | VirtualMachine.Config.AddNewDisk |
Virtual Machine > Add or remove device | VirtualMachine.Config.AddRemoveDevice |
Virtual Machine > Remove disk | VirtualMachine.Config.RemoveDisk |
Select the Propagate to Child Objects check box.
(Optional) Create a custom role that allows the user account to manage Kubernetes volumes.
Note: This role is required if you create a Persistent Volume Claim (PVC) to bind with a statically provisioned PV, and the reclaim policy is set to delete. When the PVC is deleted, the statically provisioned PV is also deleted.
manage-k8s-volumes
.Grant the following privilege at the Datastore level using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Datastore > Low level file operations | Datastore.FileManagement |
Clear the Propagate to Child Objects check box.
Grant the service account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels: This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) | Privilege (API) |
---|---|
Read-only | System.Anonymous |
System.Read |
|
System.View |
Continue to Create the BOSH/Ops Manager User Account.
To configure your Kubernetes control plane node user account using dynamic PV provisioning with storage policy-based placement, do the following:
Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
manage-k8s-node-vms
.Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Resource > Assign virtual machine to resource pool | Resource.AssignVMToPool |
Virtual Machine > Add existing disk | VirtualMachine.Config.AddExistingDisk |
Virtual Machine > Add new disk | VirtualMachine.Config.AddNewDisk |
Virtual Machine > Add or remove device | VirtualMachine.Config.AddRemoveDevice |
Virtual Machine > Remove disk | VirtualMachine.Config.RemoveDisk |
Virtual Machine > Create new | VirtualMachine.Inventory.Create |
Virtual Machine > Remove | VirtualMachine.Inventory.Remove |
Select the Propagate to Child Objects check box.
Create a custom role that allows the user account to manage Kubernetes volumes.
manage-k8s-volumes
.Grant the following privileges using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Datastore > Allocate space | Datastore.AllocateSpace |
Datastore > Low level file operations | Datastore.FileManagement |
Clear the Propagate to Child Objects check box.
Create a custom role that allows the user account to read the Kubernetes storage profile.
k8s-system-read-and-spbm-profile-view
.Grant the following privilege at the vCenter level using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Profile-driven storage view | StorageProfile.View |
Clear the Propagate to Child Objects check box.
Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) | Privilege (API) |
---|---|
Read-only | System.Anonymous |
System.Read |
|
System.View |
Continue to Create the BOSH/Ops Manager Service Account.
To configure your Kubernetes control plane node user account using dynamic PV provisioning without storage policy-based placement, do the following:
Create a custom role that allows the user account to manage Kubernetes node VMs. For more information about custom roles in vCenter, see Create a Custom Role in the VMware vSphere documentation.
manage-k8s-node-vms
.Grant the following privileges at the Cluster, Hosts, and VM Folder levels using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Virtual Machine > Add existing disk | VirtualMachine.Config.AddExistingDisk |
Virtual Machine > Add new disk | VirtualMachine.Config.AddNewDisk |
Virtual Machine > Add or remove device | VirtualMachine.Config.AddRemoveDevice |
Virtual Machine > Remove disk | VirtualMachine.Config.RemoveDisk |
Select the Propagate to Child Objects check box.
Create a custom role that allows the user account to manage Kubernetes volumes.
manage-k8s-volumes
.Grant the following privileges using either the vCenter UI or API:
Privilege (UI) | Privilege (API) |
---|---|
Datastore > Allocate space | Datastore.AllocateSpace |
Datastore > Low level file operations | Datastore.FileManagement |
Clear the Propagate to Child Objects check box.
Grant the user account the existing Read-only role. This role includes the following privileges at the vCenter, Datacenter, Datastore Cluster, and Datastore Storage Folder levels:
Privilege (UI) | Privilege (API) |
---|---|
Read-only | System.Anonymous |
System.Read |
|
System.View |
There are two options for granting permissions to the BOSH/Ops Manager Service Accounts:
Grant Administrator Role permissions. Apply the default VMware Administrator Role to each BOSH/Ops Manager Service Account as described in vCenter Server System Roles .
Warning: Applying the VMware Administrator Role to the BOSH/Ops Manager Service Account grants the account more privileges than are required. For optimal security always use the least privileged account.
Navigate to your DNS provider and create an entry for a fully qualified domain name (FQDN) within your system domain. For example, api.tkgi.example.com
.
When you configure the Tanzu Kubernetes Grid Integrated Edition tile, enter this FQDN in the TKGI API pane.
After you deploy Tanzu Kubernetes Grid Integrated Edition, you map the IP address of the TKGI API to this FQDN. You can then use this FQDN to access the TKGI API from your local system.
To install and configure Ops Manager, follow the instructions in Installing and Configuring Ops Manager on vSphere.