Developers are the target users of Kubernetes. Once a Tanzu Kubernetes cluster is provisioned, you can grant developer access using vCenter Single Sign-On authentication.

Authentication for Developers

A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.
  • For user account authentication, Tanzu Kubernetes clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
  • For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.

Adding Developer Users to a Cluster

To grant cluster access to developers:
  1. Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
  2. Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.

Example RoleBinding

To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the name parameter.
Table 1. Supported User and Group Fields
Field Description
sso:USER-NAME@DOMAIN For example, a local user name, such as sso:joe@vsphere.local.
sso:GROUP-NAME@DOMAIN For example, a group name from a directory server integrated with the vCenter Server, such as

The following example RoleBinding binds the vCenter Single Sign-On local user named Joe to the default ClusterRole named edit. This role permits read/write access to most objects in a namespace, in this case the default namespace.

kind: RoleBinding
  name: rolebinding-cluster-user-joe
  namespace: default
  kind: ClusterRole
  name: edit                             #Default ClusterRole
- kind: User
  name: sso:joe@vsphere.local            #sso:<username>@<domain>