Learn what are the different authentication mechanisms and their use with TKG clusters.
Connecting to the Supervisor
As a DevOps engineer, you connect Supervisor to provision TKG clusters. You only have access to the namespaces where you have permissions set by the vSphere administrator.
To connect ot the Supervisor on the Kubernetes control plance IP or to provisioned TKG clusters you can either use two methods:
- Your vCenter Single Sign-On and the Kubernetes CLI Tools for vSphere. In this case an authentication token is created that expires every 10 hours.
- Credentials from a OIDC provider registered with the Supervisor and Tanzu CLI. The session with and OIDC provider is controlled by the settings in the provider itself.
For more information, see the Using TKG Service with vSphere IaaS Control Plane documentation.
Connecting to TKG Clusters
As a DevOps engineer you also connect to provisioned TKG clusters to operate and manage them. When your user account is granted the Edit permission on the vSphere Namespace where the TKG cluster is provisioned, you account is assigned to the cluster-admin role. Alternatively, you can use the kubernetes-admin
user to connect to TKG clusters as well. You can also grant developers access to TKG clusters by binding a user or group to default or custom pod security policy. For more information, see the Using TKG Service with vSphere IaaS Control Plane documentation.