divyenpatel/VCP-Roles.md

## VCP-Roles.md

      
    Raw
  

              VCP-Roles.md
            
          
    Minimal set of vCenter roles/privileges required for static only persistent volume provisioning.

Note Datastore.FileManagement is only required for the role manage-k8s-volumes, if PVC is created to bind with statically provisioned PV, and reclaim policy set to delete. When PVC is deleted, associated statically provisioned PV will also be deleted.


  Roles
  Privileges
  Entities
  Propagate to Children


  manage-k8s-node-vms
  System.Anonymous
 System.Read
 System.View
 VirtualMachine.Config.AddExistingDisk
 VirtualMachine.Config.AddNewDisk
 VirtualMachine.Config.AddRemoveDevice
 VirtualMachine.Config.RemoveDisk

  VM Folder
  Yes


  manage-k8s-volumes
  Datastore.FileManagement (Low level file operations
)
 System.Anonymous
 System.Read
 System.View


  Datastore
  No


  ReadOnly
  System.Anonymous
System.Read
System.View
  vCenter,
 Datacenter,
 Datastore Cluster,
 Datastore Storage Folder
  No


Minimal set of vCenter roles/privileges required for dynamic persistent volume provisioning.

Same as documented at
https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/getting-started-guides/vsphere.md


  Roles
  Privileges
  Entities
  Propagate to Children


  manage-k8s-node-vms
  Resource.AssignVMToPool
 System.Anonymous
 System.Read
 System.View
 VirtualMachine.Config.AddExistingDisk
 VirtualMachine.Config.AddNewDisk
 VirtualMachine.Config.AddRemoveDevice
 VirtualMachine.Config.RemoveDisk
 VirtualMachine.Inventory.Create
 VirtualMachine.Inventory.Delete
  Cluster,
 Hosts,
 VM Folder
  Yes


  manage-k8s-volumes
  Datastore.AllocateSpace
 Datastore.FileManagement (Low level file operations)
 System.Anonymous
 System.Read
 System.View
  Datastore
  No


  k8s-system-read-and-spbm-profile-view
  StorageProfile.View
 System.Anonymous
 System.Read
 System.View
  vCenter
  No


  ReadOnly
  System.Anonymous
System.Read
System.View
  Datacenter,
 Datastore Cluster,
 Datastore Storage Folder
  No


Minimal set of vCenter roles/privileges required for dynamic volume provisioning without storage policy based volume placement.


  Roles
  Privileges
  Entities
  Propagate to Children


  manage-k8s-node-vms
  System.Anonymous
 System.Read
 System.View
 VirtualMachine.Config.AddExistingDisk
 VirtualMachine.Config.AddNewDisk
 VirtualMachine.Config.AddRemoveDevice
 VirtualMachine.Config.RemoveDisk

  VM Folder
  Yes


  manage-k8s-volumes
  Datastore.AllocateSpace
 Datastore.FileManagement (Low level file operations)
 System.Anonymous
 System.Read
 System.View
  Datastore
  No


  ReadOnly
  System.Anonymous
System.Read
System.View
  vCenter,
Datacenter,
 Datastore Cluster,
 Datastore Storage Folder
  No
Roles	Privileges	Entities	Propagate to Children
manage-k8s-node-vms	System.Anonymous System.Read System.View VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.RemoveDisk	VM Folder	Yes
manage-k8s-volumes	Datastore.FileManagement (Low level file operations ) System.Anonymous System.Read System.View	Datastore	No
ReadOnly	System.Anonymous System.Read System.View	vCenter, Datacenter, Datastore Cluster, Datastore Storage Folder	No
Roles	Privileges	Entities	Propagate to Children
manage-k8s-node-vms	Resource.AssignVMToPool System.Anonymous System.Read System.View VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.RemoveDisk VirtualMachine.Inventory.Create VirtualMachine.Inventory.Delete	Cluster, Hosts, VM Folder	Yes
manage-k8s-volumes	Datastore.AllocateSpace Datastore.FileManagement (Low level file operations) System.Anonymous System.Read System.View	Datastore	No
k8s-system-read-and-spbm-profile-view	StorageProfile.View System.Anonymous System.Read System.View	vCenter	No
ReadOnly	System.Anonymous System.Read System.View	Datacenter, Datastore Cluster, Datastore Storage Folder	No