As a vSphere administrator, you need privileges to configure a Supervisor Cluster and to manage namespaces. You define permissions on namespaces to determine which DevOps engineers can access them. As a DevOps engineer, you authenticate with the Supervisor Cluster by using your vCenter Single Sign-On credentials, and can access only the namespaces for which you have permissions.

Note: In vSphere 7.x, x509 certificate chains are not supported with the L4 load balancer endpoint used for the Kubernetes API server. Certificate chains that involve intermediate CAs (for example, if you bring your own CA chain) might experience certificate verification errors.

Permissions for vSphere Administrators

As a vSphere administrator, you need permissions on vSphere clusters to configure them as Supervisor Clusters as well as to create and manage namespaces. You must have at least one of the following privileges associated with your user account on a vSphere cluster:

  • Modify namespace configuration. Allows you to create and configure namespaces on a Supervisor Cluster.
  • Modify cluster-wide configuration. Allows you to configure a vSphere cluster as a Supervisor Cluster.

Setting Permissions for DevOps Engineers

As a vSphere administrator, you grant view, edit, or owner permissions to user accounts on namespace level. The user accounts must be available in an identity source that is connected to vCenter Single Sign-On. One user account can have access to multiple namespaces. Users which are members of the Administrators groups have access to all the namespaces on the Supervisor Cluster.

After you configure a namespace with permissions, resource quotas, and storage, you provide the URL of the Kubernetes control plane to DevOps engineers, who can use it to log in to the control plane. Once logged in, DevOps engineers can access all the namespaces for which they have permissions across all of the Supervisor Clusters that belong to a vCenter Server system. When vCenter Server systems are in Enhanced Linked Mode, DevOps engineers can access all namespaces for which they have permissions across all the Supervisor Clusters available in the Linked Mode group. The IP address of the Kubernetes control plane is a virtual IP generated by NSX-T or a load balancer in use with the VDS networking stack to serve as an access point to the Kubernetes control plane.

DevOps engineers with owner permissions can deploy workloads. They can share the namespace with other DevOps engineers or groups and delete it when it is no longer required. When DevOps engineers share the namespace, they can assign view, edit, or owner permissions to other DevOps engineers and groups.

Authentication with the Supervisor Cluster

As DevOps engineer, you use the Kubernetes CLI Tools for vSphere to authenticate to the Supervisor Cluster by using your vCenter Single Sign-On credentials and the Kubernetes control plane IP address. For more information, see Connect to the Supervisor Cluster as a vCenter Single Sign-On User.

When you log in to the Supervisor Cluster, an authentication proxy redirects the request to vCenter Single Sign-On. The vSphere kubectl plug-in establishes a session with vCenter Server and obtains an authentication token from vCenter Single Sign-On. It also fetches a list of namespaces to which you have access, and populates the configuration with these namespaces. The list of namespaces is updated on the next login, if there are changes to the permissions of your user account.

The account that you use to login to the Supervisor Cluster provides you with access only to the namespaces that are assigned to you. You cannot login to vCenter Server with that account. To login to vCenter Server, you will need explicit permissions.
Note: The session to kubectl lasts for 10 hours. After the session expires, you must authenticate with the Supervisor Cluster again. At logout, the token is deleted from the configuration file of your user account, but remains valid until the session ends.

Authentication with Tanzu Kubernetes Clusters

Tanzu Kubernetes cluster users, including DevOps engineers, developers, and administrators, can authenticate with a cluster in various ways. For more information, see Authenticating with Tanzu Kubernetes Clusters.

Note: Tanzu Kubernetes clusters require user and system accounts to have pod security policy to deploy pods and resources to a cluster. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.