As a vSphere administrator, you need privileges to configure a Supervisor Cluster and to manage namespaces. You define permissions on namespaces to determine which DevOps engineers can access them. As a DevOps engineer, you authenticate with the Supervisor Cluster by using your vCenter Single Sign-On credentials, and can access only the namespaces for which you have permissions.
Permissions for vSphere Administrators
As a vSphere administrator, you need permissions on vSphere clusters to configure them as Supervisor Clusters as well as to create and manage namespaces. You must have at least one of the following privileges associated with your user account on a vSphere cluster:
- Modify namespace configuration. Allows you to create and configure namespaces on a Supervisor Cluster.
- Modify cluster-wide configuration. Allows you to configure a vSphere cluster as a Supervisor Cluster.
Setting Permissions for DevOps Engineers
As a vSphere administrator, you grant view, edit, or owner permissions to user accounts on namespace level. The user accounts must be available in an identity source that is connected to vCenter Single Sign-On. One user account can have access to multiple namespaces. Users which are members of the Administrators groups have access to all the namespaces on the Supervisor Cluster.
After you configure a namespace with permissions, resource quotas, and storage, you provide the URL of the Kubernetes control plane to DevOps engineers, who can use it to log in to the control plane. Once logged in, DevOps engineers can access all the namespaces for which they have permissions across all of the Supervisor Clusters that belong to a vCenter Server system. When vCenter Server systems are in Enhanced Linked Mode, DevOps engineers can access all namespaces for which they have permissions across all the Supervisor Clusters available in the Linked Mode group. The IP address of the Kubernetes control plane is a virtual IP generated by NSX-T or a load balancer in use with the VDS networking stack to serve as an access point to the Kubernetes control plane.
DevOps engineers with owner permissions can deploy workloads. They can share the namespace with other DevOps engineers or groups and delete it when it is no longer required. When DevOps engineers share the namespace, they can assign view, edit, or owner permissions to other DevOps engineers and groups.
Authentication with the Supervisor Cluster
As DevOps engineer, you use the Kubernetes CLI Tools for vSphere to authenticate to the Supervisor Cluster by using your vCenter Single Sign-On credentials and the Kubernetes control plane IP address. For more information, see Connect to the Supervisor Cluster as a vCenter Single Sign-On User.
When you log in to the Supervisor Cluster, an authentication proxy redirects the request to vCenter Single Sign-On. The vSphere kubectl plug-in establishes a session with vCenter Server and obtains an authentication token from vCenter Single Sign-On. It also fetches a list of namespaces to which you have access, and populates the configuration with these namespaces. The list of namespaces is updated on the next login, if there are changes to the permissions of your user account.
Authentication with Tanzu Kubernetes Clusters
Tanzu Kubernetes cluster users, including DevOps engineers, developers, and administrators, can authenticate with a cluster in various ways. For more information, see Authenticating with Tanzu Kubernetes Clusters.