vSphere users for CSI plug-in require a set of privileges to perform Cloud Native Storage operations.

To know how to create and assign a role, see vSphere Security Documentation.

You must create the following roles with sets of privileges:

Role Name Privilege Name Description Required On
CNS-Datastore Datastore > Low level file operations
govc role.ls CNS-DATASTORE
Datastore.FileManagement
System.Anonymous
System.Read
System.View
Allows performing read, write, delete, and rename operations in the datastore browser. Shared datastore where persistent volumes reside.
Note: Before CSI v2.2.0, it is required for all shared datastores to have Datastore.FileManagement privilege. From CSI v2.2.0, It is not required for all shared datastores to have Datastore.FileManagement privilege. CSI will skip shared datastores which do not have Datastore.FileManagement privilege during volume provisioning. It will not provision volume on those datastores.
CNS-HOST-CONFIG-STORAGE Host > Configuration > Storage partition configuration
% govc role.ls CNS-HOST-CONFIG-STORAGE
Host.Config.Storage
System.Anonymous
System.Read
System.View
Allows vSAN datastore management. Required on a vSAN cluster with vSAN file service. Required for file volume only.
CNS-VM Virtual machine > Change Configuration > Add existing disk Allows adding an existing virtual disk to a virtual machine. All node VMs.
Virtual Machine > Change Configuration > Add or remove device Allows addition or removal of any non-disk device.
% govc role.ls CNS-VM
System.Anonymous
System.Read
System.View
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddRemoveDevice
CNS-SEARCH-AND-SPBM CNS > Searchable Allows storage administrator to see Cloud Native Storage UI. Root vCenter Server.
Profile-driven storage > Profile-driven storage view Allows viewing of defined storage policies.
% govc role.ls CNS-SEARCH-AND-SPBM
Cns.Searchable
StorageProfile.View
System.Anonymous
System.Read
System.View
Read-only Default role
% govc role.ls ReadOnly
System.Anonymous
System.Read
Users with the Read Only role for an object are allowed to view the state of the object and details about the object. For example, users with this role can find the shared datastore accessible to all node VMs.

For topology-aware environments, all ancestors of node VMs, such as a host, cluster, folder, and data center, must have the Read-only role set for the vSphere user configured to use the CSI plug-in and CCM. This is required to allow reading tags and categories to prepare the nodes' topology.

All hosts where the nodes VMs reside

Data center

Note: You need to apply roles when a new entity such as Node VM, Datastore is added in the vCenter Server inventory for the Kubernetes cluster.

You need to assign roles to the vSphere objects participating in the Cloud Native Storage environment.

The following vSphere inventory provides more information about roles assignment in vSphere objects.
sc2-rdops-vm06-dhcp-215-129.eng.vmware.com (vCenter Server)
|
|- datacenter (Data Center)
    |
    |-vSAN-cluster (cluster)
      |
      |-10.192.209.1 (ESXi Host)
      | |
      | |-k8s-master (node-vm)
      |
      |-10.192.211.250 (ESXi Host)
      | |
      | |-k8s-node1 (node-vm)
      |
      |-10.192.217.166 (ESXi Host)
      | |
      | |-k8s-node2 (node-vm)
      | |
      |-10.192.218.26 (ESXi Host)
      | |
      | |-k8s-node3 (node-vm)
As an example, assume that each host has the following shared datastores along with some local VMFS datastores.
  • shared-vmfs.
  • shared-nfs.
  • vsanDatastore.
Role assignment is as shown in the table below
Role Usage
ReadOnly
CNS-HOST-CONFIG-STORAGE
CNS-DATASTORE
CNS-VM
CNS-SEARCH-AND-SPBM
Note: When you add a new entity (Node VM, Datastore) in the vCenter Server inventory for the Kubernetes cluster, you must apply roles to the same.