Set permissions on the vSphere Namespace so that vCenter Single Sign-On users and groups can access TKG 2 clusters provisioned there.

Once you have created a vSphere Namespace, you configure it for TKG 2 clusters by adding users/groups and assigning roles. See Configure a vSphere Namespace for TKG Service Clusters.

Prerequisites

Users, groups, and role permissions are set at the vSphere Namespace level. To access Supervisor and TKG 2 clusters, you must first create a vSphere Namespace. See Create a vSphere Namespace for Hosting TKG Service Clusters.

Procedure

  1. Log into vCenter Server using the vSphere Client.
  2. Select Workload Management > Namespaces.
  3. Select the vSphere Namespace you created.
  4. Select Permissions > Add Permissions.
  5. Identity Source: Select vsphere.local for vCenter SSO users and groups.
    Note: If you are using an external identity provider, see Connecting to TKG Clusters on Supervisor Using an External Identity Provider.
  6. User/Group Search: Select the vCenter SSO user or group configured for TKG cluster operations or TKG developers.
  7. Role: Assign the user or group to a role by selecting the appropriate role: Can View, Can Edit, or Owner.
    Option Description
    Can View Can read TKG cluster objects in the vSphere Namespace. No permissions mapped to Kubernetes roles. See Role Permissions and Bindings.
    Can Edit Can create, read, update, and delete TKG cluster objects in the vSphere Namespace. Can operate TKG clusters provisioned in the vSphere Namespace as the Kubernetes cluster-admin. See Role Permissions and Bindings.
    Owner Same permissions as Can Edit, with the additional permission to create and manage vSphere Namespaces using kubectl. Only available with vCenter SSO. See Role Permissions and Bindings.
  8. Complete the configuration of the vSphere Namespace. See Configure a vSphere Namespace for TKG Service Clusters.