A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts.

• For user account authentication, TKG Service clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
• External OIDC users and groups are mapped directly to vSphere Namespace roles.
• For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.

To grant cluster access to developers:

1. Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
2. Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.

To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the name parameter.

Table 1. Supported User and Group Fields

Field	Description
sso:USER-NAME@DOMAIN	For example, a local user name, such as sso:[email protected].
sso:GROUP-NAME@DOMAIN	For example, a group name from a directory server integrated with the vCenter Server, such as sso:[email protected].

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rolebinding-cluster-user-joe
  namespace: default
roleRef:
  kind: ClusterRole
  name: edit                             #Default ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: sso:[email protected]            #sso:<username>@<domain>
  apiGroup: rbac.authorization.k8s.io