VCF Automation (VCFA) Project Roles are designed to control access to VCFA-managed infrastructure resources, not to directly manage authorization inside VKS Guest Clusters.

Therefore, to apply a least-privilege access model (such as View, Edit, or Admin) for standard users like a Project User, you must configure native Kubernetes RBAC combined with Pinniped authentication.

This KB article describes how to apply RBAC configurations inside a VCFA-deployed VKS cluster and securely distribute the kubeconfig to users.

Prerequisites

• VCF-CLI (version 9.1) must be installed on the management terminal
• The target VKS Cluster must already be deployed

• VCF Automation 9.1.0
• vSphere Kubernetes Service

1. Obtain the Administrative kubeconfig

• Log into VCFA with a Project Administrator or Project Advanced User role, and obtain an API Token by following this documentation:
  • official - Obtain API Token using the UI
• Authenticate against VCFA using the Project Administrator or Project Advanced User role, and generate the initial administrative kubeconfig by following this documentation:
  • official - Initial Setup of Kubernetes Cluste

At this point, the Project Administrator and Project Advanced User have full control (cluster-admin equivalent) over the target VKS Cluster using the obtained kubeconfig.

2. Configure RBAC within the VKS Cluster and Generate the Distributed kubeconfig

This step must be performed by a Project Administrator or Project Advanced User.

First, verify that Pinniped is running properly (Reconcile succeeded) inside the VKS Cluster:

kubectl get pkgi -A | grep pinniped

Next, create a RoleBinding to grant Edit permissions within a specific Namespace.
The basic configuration process follows standard upstream Kubernetes RBAC practices.

# Sample: Namespace-scoped Permission
GROUP=<OIDC_GROUP>@xxxxxx # VCFA --> Administer --> Access Control
NS=namespace-1

cat > rolebinding-${NS}.yaml <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ${NS}-edit
  namespace: ${NS}
subjects:
- kind: Group
  name: ${GROUP}
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
EOF

cat rolebinding-${NS}.yaml | yq .
kubectl create ns ${NS}
kubectl apply -f rolebinding-${NS}.yaml
kubectl get rolebinding -n ${NS} ${NS}-edit

# Generate a kubeconfig file for "Project Users" and distribute the generated kubeconfig to them.
# Each "Project User" must authenticate with their own VCFA API token when using this kubeconfig.
vcf cluster kubeconfig get <VKS_CLUSTER_NAME> --export-file vcfa-auth.kubeconfig

3. Verify Access in the Project User Environment

On the Project User terminal, access the target VKS cluster by using the distributed kubeconfig and authenticate with the Project User's own VCFA API token.

kubeconfig=vcfa-auth.kubeconfig

# During the first execution, the user will be prompted to enter their API Token
kubectl --kubeconfig ${kubeconfig} auth whoami
#> Enter API Token: (Input "Project User" API TOKEN)

# Verify Permissions
kubectl --kubeconfig ${kubeconfig} auth can-i --list -n ${NS}
kubectl --kubeconfig ${kubeconfig} get nodes         # Expected to fail (NG)
kubectl --kubeconfig ${kubeconfig} get pods -n ${NS} # Expected to succeed (OK)

Optional: Clear Cache

If you are testing and switching between the Project Administrator and Project User roles on the same machine, existing token caches may conflict. If authentication fails, delete the following files and try again.

rm -f ~/.config/vcf/vcfa-token/tokens.json
rm -f ~/.config/vcf/vcfa/credentials.json
rm -f ~/.config/vcf/pinniped/sessions.yaml
rm -f ~/.config/vcf/pinniped/credentials.yaml

• Native RBAC control for VKS Clusters is planned to be supported by VKSM (VKS Cluster Management) in VCF 9.1.2 or later future releases.
• KB - Understanding Project Roles and VKS Cluster Permission Models in VCF Automation 9.1.0