As a vSphere administrator, you need privileges to configure a Supervisor Cluster and to manage namespaces. You define permission on namespaces to determine which DevOps engineers can access them. As a DevOps engineer, you authenticate with the Supervisor Cluster by using your vCenter Single Sign-On credentials, and can access only the namespaces for which you have permissions.

Permissions for vSphere Administrators

As a vSphere administrator, you need permissions on vSphere clusters to configure them as Supervisor Clusters as well as to create and manage namespaces. You must have at least one of the following privileges associated with your user account on a vSphere cluster:

  • Modify namespace configuration. Allows you to create and configure namespaces on a Supervisor Cluster.
  • Modify cluster-wide configuration. Allows you to configure a vSphere cluster as a Supervisor Cluster.

Setting Permissions for DevOps Engineers

As a vSphere administrator, you grant read-only or write permissions to user accounts on namespace level. The user accounts must be available in an identity source that is connected to vCenter Single Sign-On. One user account can have access to multiple namespaces. Users which are members of the Administrators groups have access to all the namespaces on the Supervisor Cluster.

After you configure a namespace with permissions, resource quotas, and storage, you provide the URL of the Kubernetes control plane to DevOps engineers, who can use it to log in to the control plane. Once logged in, DevOps engineers can access all the namespaces for which they have permissions across all of the Supervisor Clusters that belong to a vCenter Server system. When vCenter Server systems are in Enhanced Linked Mode, DevOps engineers can access all namespaces for which they have permissions across all the Supervisor Clusters available in the Linked Mode group. The IP address of the Kubernetes control plane is a virtual IP generated by NSX-T to serve as an access point to the Kubernetes control plane.

Authentication with the Supervisor Cluster

As DevOps engineer, you use the Kubernetes CLI Tools for vSphere to authenticate to the Supervisor Cluster by using your vCenter Single Sign-On credentials and the Kubernetes control plane IP address. For more information, see Connect to the Supervisor Cluster as a vCenter Single Sign-On User.

When you log in to the Supervisor Cluster, an authentication proxy redirects the request to vCenter Single Sign-On. The vSphere kubectl plug-in establishes a session with vCenter Server and obtains an authentication token from vCenter Single Sign-On. It also fetches a list of namespaces to which you have access, and populates the configuration with these namespaces. The list of namespaces is updated on the next login, if there are changes to the permissions of your user account.
Note: The session to kubectl lasts for 10 hours. After the session expires, you must authenticate with the Supervisor Cluster again. At logout, the token is deleted from the configuration file of your user account, but remains valid until the session ends.

Authentication with Tanzu Kubernetes Clusters

Tanzu Kubernetes cluster users, including DevOps engineers, developers, and administrators, can authenticate with a cluster in various ways. For more information, see How to Authenticate with Tanzu Kubernetes Clusters.

Note: Tanzu Kubernetes clusters require user and system accounts to have pod security policy to deploy pods and resources to a cluster. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.