A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.

• For user account authentication, Tanzu Kubernetes clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
• For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.

To grant cluster access to developers:

1. Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
2. Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.

To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the name parameter.

Table 1. Supported User and Group Fields

Field	Description
sso:USER-NAME@DOMAIN	For example, a local user name, such as sso:[email protected].
sso:GROUP-NAME@DOMAIN	For example, a group name from a directory server integrated with the vCenter Server, such as sso:[email protected].

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rolebinding-cluster-user-joe
  namespace: default
roleRef:
  kind: ClusterRole
  name: edit                             #Default ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: sso:[email protected]            #sso:<username>@<domain>
  apiGroup: rbac.authorization.k8s.io