As a vSphere administrator, you need privileges to configure a Supervisor Cluster and to manage namespaces. You define permission on namespaces to determine which DevOps engineers can access them. As a DevOps engineer, you authenticate with the Supervisor Cluster by using your vCenter Single Sign-On credentials, and can access only the namespaces for which you have permissions.
Permissions for vSphere Administrators
As a vSphere administrator, you need permissions on vSphere clusters to configure them as Supervisor Clusters as well as to create and manage namespaces. You must have at least one of the following privileges associated with your user account on a vSphere cluster:
- Modify namespace configuration. Allows you to create and configure namespaces on a Supervisor Cluster.
- Modify cluster-wide configuration. Allows you to configure a vSphere cluster as a Supervisor Cluster.
Setting Permissions for DevOps Engineers
As a vSphere administrator, you grant read-only or write permissions to user accounts on namespace level. The user accounts must be available in an identity source that is connected to vCenter Single Sign-On. One user account can have access to multiple namespaces. Users which are members of the Administrators groups have access to all the namespaces on the Supervisor Cluster.
After you configure a namespace with permissions, resource quotas, and storage, you provide the URL of the Kubernetes control plane to DevOps engineers, who can use it to log in to the control plane. Once logged in, DevOps engineers can access all the namespaces for which they have permissions across all of the Supervisor Clusters that belong to a vCenter Server system. When vCenter Server systems are in Enhanced Linked Mode, DevOps engineers can access all namespaces for which they have permissions across all the Supervisor Clusters available in the Linked Mode group. The IP address of the Kubernetes control plane is a virtual IP generated by NSX-T to serve as an access point to the Kubernetes control plane.
Authentication with the Supervisor Cluster
As DevOps engineer, you use the Kubernetes CLI Tools for vSphere to authenticate to the Supervisor Cluster by using your vCenter Single Sign-On credentials and the Kubernetes control plane IP address. For more information, see Connect to the Supervisor Cluster as a vCenter Single Sign-On User.
Authentication with Tanzu Kubernetes Clusters
Tanzu Kubernetes cluster users, including DevOps engineers, developers, and administrators, can authenticate with a cluster in various ways. For more information, see How to Authenticate with Tanzu Kubernetes Clusters.