vSphere Namespace Permissions for VKS
search cancel

vSphere Namespace Permissions for VKS

book

Article ID: 424897

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

This KB is provided as a supplement to the official documentation below. It details how each vSphere Namespace permission impacts VKS clusters.

Official Document - Configure vSphere Namespace Permissions for vCenter Single Sign-On Users and Groups

Example scenario

Environment

vSphere Kubernetes Service

Resolution

"Can View" privilege

This permission grants read-only access to the Supervisor context.

Supervisor Level: The user can view the Cluster API resources, etc., in the vSphere Namespace

kubectl vsphere login -u [email protected] --server=https://${SUPERVISOR_VIP}
kubectl config use-context vsphere-ns-1

kubectl get cluster,ma,vm            # OK
kubectl delete ma <ma_object>        # Forbidden
kubeatl edit cluster <cluster>       # Forbidden

VKS Cluster Level: The user has no access inside the VKS clusters

kubectl config use-context <TARGET_VKS_CLUSTER>
kubectl get pods  # Forbidden

 

"Can Edit" privilege

This privilege allows the user to manage VKS clusters within the target vSphere Namespace.
Enabling "Can edit" provides the following authorities to the target user:

  • Lifecycle Management: Full control to create, edit, and delete VKS clusters within the target vSphere Namespace via the Supervisor context
  • Cluster-wide Admin Access: Automatically granted the cluster-admin role for all VKS clusters in that vSphere Namespace
  • Full Resource Control: Complete administrative control over all resources (kubectl get/delete/edit Pods, Nodes, etc.) inside the VKS clusters

You can verify this automatic cluster role binding with the following command inside a VKS cluster:

kubectl config use-context <TARGET_VKS_CLUSTER>
kubectl get clusterrolebindings | grep cluster-admin
  #> vmware-system-auth-sync-wcp:vsphere-ns-1:group:vsphere.local:administrators   ClusterRole/cluster-admin
  #> vmware-system-auth-sync-wcp:vsphere-ns-1:group:vsphere.local:test             ClusterRole/cluster-admin

Note: Recommendation for "Developer" Access:

"Can edit" might be excessive if you want users to deploy workloads but not delete the cluster itself. 
If you need to grant access to a VKS Cluster without giving "Can edit" (Cluster lifecycle management) permissions on the Namespace, please refer to the following documentation:

Official document - Grant Developer Access to VKS Clusters

Note: The "Can edit" permission is strictly for kubectl operations on the Supervisor. It does not grant permission to modify vSphere Namespace settings in the vSphere Client.

 

"Owner" privilege

From a VKS Cluster perspective, "Owner" is functionally identical to "Can edit," providing the same cluster-admin access and lifecycle control over VKS clusters.

The additional capability of "Owner" is the ability to create new vSphere Namespaces via the Supervisor context (kubectl).
Prerequisite: vSphere Namespace Self-Service (Template) must be configured by an administrator in the vSphere Client in advance.

Official document - Enable vSphere Namespace Creation Using Kubectl

Note: 'Owner' privileges do not grant permission to modify vSphere Namespace configurations via the vSphere Client. Management of the Namespace itself remains restricted to vSphere administrators.

Powered by Wolken Software