vSphere Roles

When provisioning Kubernetes clusters with the DKP vSphere provider, there are four roles needed for DKP to provide proper permissions. Roles in vSphere are more like a policy statement for the objects in a vSphere inventory. The Role is assigned to a user and the Object assignment can be inherited by any siblings if desired through propagation.

Add the permission at the highest level and set to propagate the permissions. In small vSphere environments, with just a few hosts, assigning the role/user at the top level and propagating to child resources could be appropriate. However, in the majority of cases this is not possible since security teams will enforce strict restrictions of who should have access to specific resources.

In the table below we describe the level at which these permissions should be assigned.

Level	Required	Propagate to Child
vCenter Server (Top Level)	No	No
Data Center	Yes	No
Resource Pool	Yes	No
Folder	Yes	Yes
Template	Yes	No

vCenter Steps to Add Roles

When a user needs permissions less than Admin, a role must be created. The process for configuring a vSphere role includes the following steps in vCenter:

Open a vSphere Client connection to the vCenter Server, described in the Prerequisites.
Select Home > Administration > Roles > Add Role.
Give the new Role a name from the four choices detailed in the next section.
Select the Privileges from the permissions directory tree drop-down below each of the four roles.

The list of permissions can be set so that the provider is able to create/modify/delete resources or clone templates, VMs, disks, attach network, etc.

Create the Four Necessary Roles

The following four Roles should be created for proper DKP access to the required Resource(s) on the correct level of vCenter and resource pools. Set your roles to contain the permissions shown in the permissions directory tree under each role.

dkp-vcenter - This root level permissions role applies to the Resource:
1. vcenter root

Permissions Tree for dkp-vcenter Role

Resource
		View
Cns
		Searchable
Profile-driven storage
		Profile-driven storage view
Network
	Session
		ValidateSession

dkp-datacenter - This datacenter role allows datacenter, cluster and host related view permissions that need to be assigned to each of them. It applies to the Resources:
1. datacenter
2. cluster
3. esx host 1
4. esx host 2

Do not propagate them because it would give the user view privileges on all folders and resource pools.

Permissions Tree for dkp-datacenter Role

??

Resource
		View
Data Center
		View
Cluster
		View
ESX Host 1
		View
ESX Host 2
		View

dkp-k8srole - This role allows CAPV to create resources and assign networks. It is the most extensive permissions, but is only assigned on folder, resource pool, data store and network level so it can easily be separated from other environments. It applies to the Resources:
1. resource pool
2. dkp folder
3. dkp data store
4. network

This role can be propagated to other Resources if desired.

Permissions Tree for dkp-k8srole Role

Permissions Tree

Resource
		View
Datastore
		Allocate space
		Browse
		Delete File
		File Management
		Update Virtual Machine File
		Update Virtual Machine Data
Global
		Set Custom Field
Network
		Assign network
Resource
		Assign vApp to Pool
		Assign VM to Pool
Scheduled Task
		Create
		Delete
		Edit
		Run
	Session
		ValidateSession
Storage Profile
		View
Storage Views
		View

dkp-readonly -This optional role allows the role to clone from templates in other folders and data stores, but not have write access. It applies to the Resources:
1. templates folder
2. templates data store

Permissions Tree for dkp-readonly Role

Datastore
		View
Folder
		View
vApp
		Clone
		Export
Provisioning
		Clone
		Clone template
		Deploy template

Next Step

Create a Base OS image in vSphere vCenter