Developer users and development groups are the target users of TKG clusters on Supervisor. Once a TKG cluster is provisioned, you can grant developer access using vCenter Single Sign-On authentication or using an external identity provider.

Authentication for Developers

A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts.
  • For user account authentication, TKG clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
  • External OIDC users and groups are mapped directly to vSphere Namespace roles.
  • For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.

Adding Developer Users to a Cluster

To grant cluster access to developers:
  1. Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
  2. Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.

Example RoleBinding

To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the name parameter.
Table 1. Supported User and Group Fields
Field Description
sso:USER-NAME@DOMAIN For example, a local user name, such as sso:joe@vsphere.local.
sso:GROUP-NAME@DOMAIN For example, a group name from a directory server integrated with the vCenter Server, such as

The following example RoleBinding binds the vCenter Single Sign-On local user named Joe to the default ClusterRole named edit. This role permits read/write access to most objects in a namespace, in this case the default namespace.

kind: RoleBinding
  name: rolebinding-cluster-user-joe
  namespace: default
  kind: ClusterRole
  name: edit                             #Default ClusterRole
- kind: User
  name: sso:joe@vsphere.local            #sso:<username>@<domain>