Set permissions on the vSphere Namespace so that vCenter Single Sign-On users and groups can access TKG 2 clusters provisioned there.
Once you have created a
vSphere Namespace, you configure it for TKG 2 clusters by adding users/groups and assigning roles. See
Configure a vSphere Namespace for TKG Service Clusters.
Procedure
- Log into vCenter Server using the vSphere Client.
- Select .
- Select the vSphere Namespace you created.
- Select .
- Identity Source: Select vsphere.local for vCenter SSO users and groups.
- User/Group Search: Select the vCenter SSO user or group configured for TKG cluster operations or TKG developers.
- Role: Assign the user or group to a role by selecting the appropriate role: Can View, Can Edit, or Owner.
Option |
Description |
Can View |
Can read TKG cluster objects in the vSphere Namespace. No permissions mapped to Kubernetes roles. See Role Permissions and Bindings. |
Can Edit |
Can create, read, update, and delete TKG cluster objects in the vSphere Namespace. Can operate TKG clusters provisioned in the vSphere Namespace as the Kubernetes cluster-admin . See Role Permissions and Bindings. |
Owner |
Same permissions as Can Edit, with the additional permission to create and manage vSphere Namespaces using kubectl. Only available with vCenter SSO. See Role Permissions and Bindings. |
- Complete the configuration of the vSphere Namespace. See Configure a vSphere Namespace for TKG Service Clusters.