Skip to content

Instantly share code, notes, and snippets.

@divyenpatel
Last active November 9, 2017 23:20
Show Gist options
  • Save divyenpatel/e920d8cc750d72a838ed24a2b840a424 to your computer and use it in GitHub Desktop.
Save divyenpatel/e920d8cc750d72a838ed24a2b840a424 to your computer and use it in GitHub Desktop.

Minimal set of vCenter roles/privileges required for static only persistent volume provisioning.

Note Datastore.FileManagement is only required for the role manage-k8s-volumes, if PVC is created to bind with statically provisioned PV, and reclaim policy set to delete. When PVC is deleted, associated statically provisioned PV will also be deleted.

Roles Privileges Entities Propagate to Children
manage-k8s-node-vms System.Anonymous
System.Read
System.View
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.RemoveDisk
VM Folder Yes
manage-k8s-volumes Datastore.FileManagement (Low level file operations )
System.Anonymous
System.Read
System.View
Datastore No
ReadOnly System.Anonymous
System.Read
System.View
vCenter,
Datacenter,
Datastore Cluster,
Datastore Storage Folder
No

Minimal set of vCenter roles/privileges required for dynamic persistent volume provisioning.

Same as documented at https://github.com/kubernetes/kubernetes.github.io/blob/master/docs/getting-started-guides/vsphere.md

Roles Privileges Entities Propagate to Children
manage-k8s-node-vms Resource.AssignVMToPool
System.Anonymous
System.Read
System.View
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.RemoveDisk
VirtualMachine.Inventory.Create
VirtualMachine.Inventory.Delete
Cluster,
Hosts,
VM Folder
Yes
manage-k8s-volumes Datastore.AllocateSpace
Datastore.FileManagement (Low level file operations)
System.Anonymous
System.Read
System.View
Datastore No
k8s-system-read-and-spbm-profile-view StorageProfile.View
System.Anonymous
System.Read
System.View
vCenter No
ReadOnly System.Anonymous
System.Read
System.View
Datacenter,
Datastore Cluster,
Datastore Storage Folder
No

Minimal set of vCenter roles/privileges required for dynamic volume provisioning without storage policy based volume placement.

Roles Privileges Entities Propagate to Children
manage-k8s-node-vms System.Anonymous
System.Read
System.View
VirtualMachine.Config.AddExistingDisk
VirtualMachine.Config.AddNewDisk
VirtualMachine.Config.AddRemoveDevice
VirtualMachine.Config.RemoveDisk
VM Folder Yes
manage-k8s-volumes Datastore.AllocateSpace
Datastore.FileManagement (Low level file operations)
System.Anonymous
System.Read
System.View
Datastore No
ReadOnly System.Anonymous
System.Read
System.View
vCenter,
Datacenter,
Datastore Cluster,
Datastore Storage Folder
No
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment