Create a Dedicated Group and Role for Platform Operators

An optional way to assign permissions to vSphere IaaS control plane operators, including persons responsible for operating Supervisor and TKG Service clusters, is to create a dedicated vSphere user group and role specifically for such operators.

About the Platform Operators Group and Role

As a security best practice, you may want to avoid assigning the vSphere Administrator role to platform operators because this role grants more privileges than necessary to operate TKG Service clusters. Following the principle of least privilege, you can create a dedicated user group, a service (user) account, and a custom role for use by platform operators, then grant the user group custom role permissions on vSphere objects.

Note: You need to be logged in to vCenter Server as a vSphere Administrator to perform all the tasks in this topic.

Note: vSphere group and role names are user-defined strings. The names provided here are examples that you can adopt, adjust, or change according to your security and business needs.

Warning: You must evaluate the example role permissions provided here in context of your security and business requirements, test the role to ensure compliance, and adjust accordingly. Not all permissions used here may be suitable for your needs, and you may require additional permissions. Refer to the vSphere Security documentation for a complete list of vSphere permissions and security considerations.

Part 1: Create a Platform Operators Group and User

In vCenter, or an AD/LDAP system that is integrated with vCenter, create the platform operators group and an initial user account.

Log in to vCenter Server as an administrator using the vSphere Client.
Go to Administration > Single Sign On > Users and Groups.
Select the Groups tab.
Click Add and create a new group:
- Name: platform-operators-group
- Description: Group Account for Kubernetes Operators of Supervisor and TKG Service Clusters
- Click Add
Select the Users tab.
Click Add and create a new user for testing purposes.
- Name: platform-operator-00
- Password: Enter a strong password that meets the requirements
- Click Add
Select the Groups tab.
Add the new user to the group.
- Select the group platform-operators-group.
- Click Add Members.
- Select vsphere.local.
- Search for the user name platform-operator-00.
- Select this user and click Add.
- Click Save.

Part 2: Add the Platform Operators Group to Service Provider Users Group

Add the platform operators group to the Service Provider Users group. Doing so will give members of the platform operators group the ability to view vSphere Namespaces at the vCenter Inventory > Hosts & Clusters screen.

Go to Administration > Single Sign On > Users and Groups.
Select the Groups tab.
Find the ServiceProviderUsers group.
Edit the ServiceProviderUsers group and add as a member the platform-operators-group.
Click Save.

Part 3: Create the Platform Operators Role

Create a custom vCenter SSO role for platform operators.

Note: The role includes all necessary permissions to provision and operate Supervisor and TKG Service clusters, including administering content libraries. You may need to adjust the permissions assigned to this role based on your business and security requirements. In addition, you must test the role to ensure it meets your requirements.

Using the vSphere Client, go to Administration > Access Control > Roles.
Select New and create a new role name platform-operators-role.
Define the following privileges for this role.

When done, click Save.

- Alarms
  - Acknowledge alarm &
  - Create alarm &
  - Disable alarm action on entity &
  - Modify alarm &
  - Remove alarm &
  - Set alarm status &
- Certificate Authority
  - Create/Delete (below Admins priv) &
- Certificate Management
  - Create/Delete (below Admins priv) &
- Cns
  - Searchable * &
- Compute Policy
  - Create and Delete Compute Policy &
- Content Library
  - Add library item &
  - Check in a template &
  - Check out a template &
  - Create local library &
  - Create subscribed library &
  - Delete library item &
  - Delete local library &
  - Delete subscribed library &
  - Download files &
  - Evict library item &
  - Evict subscribed library &
  - Import storage &
  - Probe subscription information &
  - Read storage &
  - Sync library item &
  - Sync subscribed library &
  - Type introspection &
  - Update configuration settings &
  - Update library &
  - Update library item &
  - Update local library &
  - Update subscribed library &
  - View configuration settings &
- Datastore
  - Allocate space * & $
  - Browse datastore * &
  - Configure datastore &
  - Low level file operations * &
  - Remove file &
  - Rename datastore &
  - Update virtual machine files &
  - Update virtual machine metadata &
- Extension
  - Register extension &
  - Unregister extension &
  - Update extension &
- Folder
  - Create folder &
  - Delete folder &
  - Move folder &
  - Rename folder &
- Global
  - Cancel task &
  - Disable methods * &
  - Enable methods * &
  - Global tag &
  - Health &
  - Licenses * &
  - Log event &
  - Manage custom attributes &
  - Service managers &
  - Set custom attribute &
  - System tag &
- Host
  - Configuration
    - Network configuration $
- Host profile
  - View &
- Hybrid Linked Mode
  - Manage &
- Namespaces
  - Modify cluster-wide configuration
  - Modify cluster-wide namespace self-service configuration
  - Modify namespace configuration
- Network
  - Assign network * & $
- Resource
  - Apply recommendation &
  - Assign vApp to resource pool * &
  - Assign virtual machine to resource pool &
  - Create resource pool &
  - Modify resource pool &
  - Move resource pool &
  - Query vMotion &
  - Remove resource pool &
  - Rename resource pool &
- Scheduled task
  - Create tasks &
  - Modify task &
  - Remove task &
  - Run task &
- Sessions
  - Message * &
  - Validate session * &
- VM storage policies
  - View VM storage policies *
- Storage views
  - View &
- Supervisor Services
  - Manage Supervisor Services
- Trusted Infrastructure administrator
  - Manage Trusted Infrastructure Hosts &
- vApp
  - Add virtual machine &
  - Assign resource pool &
  - Assign vApp &
  - Clone &
  - Create &
  - Delete &
  - Export &
  - Import * $
  - Move &
  - Power off &
  - Power on &
  - Rename &
  - Suspend &
  - Unregister &
  - View OVF environment &
  - vApp application configuration &
  - vApp instance configuration &
  - vApp managedBy configuration &
  - vApp resource configuration &
- Virtual machine
  - Change Configuration
    - Acquire disk lease &
    - Add existing disk * & $
    - Add new disk * &
    - Add or remove device * &
    - Advanced configuration * & $
    - Change CPU count * &
    - Change Memory * &
    - Change Settings * &
    - Change Swapfile placement &
    - Change Resource &
    - Configure Host USB device &
    - Configure Raw device * &
    - Configure managedBy &
    - Display connection settings &
    - Extend virtual disk * &
    - Modify device settings * &
    - Query Fault Tolerance compatibility &
    - Query unowned files &
    - Reload from path &
    - Remove disk * &
    - Rename &
    - Reset guest information &
    - Set annotation &
    - Toggle disk change tracking * &
    - Upgrade virtual machine compatibility &
  - Edit Inventory
    - Create from existing * &
    - Create new &
    - Move &
    - Remove * &
    - Register &
    - Unregister &
  - Guest operations
    - Guest operation alias modification &
    - Guest operation alias query &
    - Guest operation modifications &
    - Guest operation program execution &
    - Guest operation queries &
  - Interaction
    - Answer question &
    - Backup operation on virtual machine &
    - Configure CD media &
    - Configure floppy media &
    - Connect devices &
    - Console interaction &
    - Create screenshot &
    - Defragment all disks &
    - Drag and drop &
    - Guest operating system management by VIX API &
    - Inject USB HID scan codes &
    - Install VMware Tools &
    - Pause or Unpause &
    - Power off * &
    - Power on * &
    - Reset &
    - Suspend &
  - Provisioning
    - Allow disk access &
    - Allow file access &
    - Allow read-only disk access * &
    - Allow virtual machine download * &
    - Allow virtual machine files upload &
    - Clone template &
    - Clone virtual machine &
    - Create template from virtual machine &
    - Customize guest &
    - Deploy template * &
    - Mark as template &
    - Mark as virtual machine &
    - Modify customization specification &
    - Promote disks &
    - Read customization specifications &
  - Service configuration
    - Allow notifications &
    - Allow polling of global event notifications &
    - Manage service configurations &
    - Modify service configuration &
    - Query service configurations &
    - Read service configuration &
  - Snapshot management
    - Create snapshot * &
    - Remove snapshot * &
    - Rename snapshot &
    - Revert to snapshot &
  - vSphere Replication
    - Configure replication &
    - Manage replication &
    - Monitor replication &
- Virtual Machine Classes
  - Manage Virtual Machine Classes
- vSan
  - Cluster &
    - ShallowRekey &
- vService
  - Create dependency &
  - Destroy dependency &
  - Reconfigure dependency configuration &
  - Update dependency &
- vSphere Tagging
  - Assign or Unassign vSphere Tag &
  - Assign or Unassign vSphere Tag on Object &
  - Create vSphere Tag &
  - Create vSphere Tag Category &
  - Delete vSphere Tag &
  - Delete vSphere Tag Category &
  - Edit vSphere Tag &
  - Edit vSphere Tag Category &
  - Modify UsedBy Field For Category &
  - Modify UsedBy Field For Tag &

Part 4: Assign vCenter Object Permissions to the Platform Operators Group and Role

Assign to the platform operators group permissions for the vCenter objects that Supervisor and TKG Service clusters use.

In vCenter select the Inventory view.
For each of the vCenter objects listed below, right-click the object and select Add Permission.
For the User/Group, select the group platform-operators-group.
For the Role, select the role platform-operators-group-role.
For some objects you will need to select Propagate to children, as indicated.

Hosts and Clusters
- The root vCenter Server object.
- The Datacenter and all of the Host and Cluster folders, from the Datacenter object down to the cluster that manages the TKG deployment.
- The target vCenter cluster where Supervisor is enabled, with Propagate to children enabled (for the ESXi hosts, etc.).
- Target resource pools, with Propagate to children enabled.
VMs and Templates
- The top-level Datacenter object, with Propagate to children enabled.
- Alternatively, for finer granularity, the target VM and Template folders, with Propagate to children enabled.
Storage
- The top-level Datacenter object, with Propagate to children enabled.
- Alternatively, the shared Datastore object (such as vsanDatastore) without Propagate to children enabled, or individual Datastores and all storage folders, from the Datacenter object down to the datastores that will be used for TKG deployments, with Propagate to children enabled.
Networking
- The top-level Datacenter object, with Propagate to children enabled.
- Alternatively, individual Networks, Distributed switches and Distributed Port Groups to which clusters will be assigned.

Part 5: Associate the Platform Operators Group and Role

Assign permissions to the platform operators group and role.

Using the vSphere Client, go to Administration > Access Control > Global Permission > Add Permission.
Add the platform operators role to the platform operators Group.
- Click Add.
- For the Domain, select vsphere.local.
- For the User/Group, enter the group platform-operators-group.
- For the Role select the role platform-operators-role.
- Select the Propagate to children check box.
- Click OK to update the group with the role permissions.
Add the vSphere Kubernetes Manager role to the platform operators group.
- Click Add.
- For the Domain, select vsphere.local.
- For the User/Group, enter the group platform-operators-group.
- For the Role select the role vSphere Kubernetes Manager.
- Select the Propagate to children check box.
- Click OK to update the group with the role permissions.

Part 6: Validate the Platform Operators Group and Role

Test the new platform operators group and Role. You must ensure that the group and role meet your security and business requirements, and adjust accordingly.

Using the vSphere Client, log in to vCenter Server using the platform-operator-00 user account.
Verify that you have read access to vSphere objects, including Hosts and Clusters, VMs and Templates, Storage, and Networking.
Verify that you can create and configure a content library. See Administering Kubernetes Releases for TKG Service Clusters.
Verify that you can create and configure a vSphere Namespace, including adding users, associating the content library, and assigning storage policy. See Configuring vSphere Namespaces for Hosting TKG Service Clusters.
Verify that you can log in to Supervisor using the Kubernetes CLI Tools for vSphere. See Connecting to TKG Service Clusters Using vCenter SSO Authentication.
Verify that you can provision a TKG cluster on Supervisor using Kubectl. See Workflow for Provisioning TKG Clusters Using Kubectl.
Verify that you can log in to the TKG cluster on Supervisor using Kubectl. See Connect to a TKG Service Cluster as a vCenter Single Sign-On User with Kubectl.
Verify that you can deploy workloads to the TKG cluster on Supervisor. See Deploying Workloads on TKG ServiceClusters.
Verify that you can perform various operational tasks for the TKG cluster on Supervisor. See Operating TKG Service Clusters.
Using the vSphere Client, verify that you can view the TKG cluster provisioned on Supervisor in the vSphere Namespace.
Using the vSphere Client, verify that you can monitor Supervisor and TKG cluster objects.
Perform negative test to ensure that you cannot perform certain tasks reserved for vSphere Administrators. For example, you should not be able to create a new vSphere Storage Policy or vSphere Networking. You should also not be able to disable Workload Management.
Adjust the role permissions accordingly to meet your security and business requirements.