Support using only NSX-T Type: LoadBalancer Implementation

kubernetes / cloud-provider-vsphere

Kubernetes Cloud Provider for vSphere https://cloud-provider-vsphere.sigs.k8s.io

Apache License 2.0

238 stars 175 forks source link

Support using only NSX-T Type: LoadBalancer Implementation #373

Closed onesolpark closed 4 years ago

onesolpark commented 4 years ago

Is this a BUG REPORT or FEATURE REQUEST?:

/kind feature

What happened: Unable to use just the NSX-T type loadbalancer implementation without access to vsphere.

What you expected to happen: Support using only NSX-T Type LoadBalancer Implementation in cloud provider

How to reproduce it (as minimally and precisely as possible): Cloud Provider fails when access(network or client) to vsphere fails.

Anything else we need to know?: We've been testing the new nsx-t loadbalancer feature added in 1.2.0 and it looks great :)

But we need user credentials to vsphere to use the loadbalancer feature. Is it possible to just use the nsx-t type loadbalancer implementation?

Also, If credential to vsphere is a necessary what is the minimum role needed for the vsphere user? Thanks in advance.

dvonthenen commented 4 years ago

vSphere access is minimally required for:

configuration and deployment of NSX-T
having the necessary permissions for the user account being used in the CPI
(potentially) having access to the CPI configuration in order to use the correct vSphere account to manage the k8s cluster in question

@mandelsoft would you know what the minimum role would be to enable this functionality? I am guessing that the CPI user account would probably need to be assigned to the role NsxAdministrator in the worst case, but I'm guessing that could possibly be pared-down.

onesolpark commented 4 years ago

@dvonthenen Do you have the list of permissions needed for vsphere users? I went searched the vcpctl part (where it makes users with minimum authz) and ended up in govmomi repo (https://github.com/vmware/govmomi/blob/master/simulator/esx/authorization_manager.go) Is this the minimum requirement for vsphere users for CPI?

Or is this the minimum permission needed? https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/vcp-roles.html#overview

dvonthenen commented 4 years ago

It's neither. The first link is just a dump of permissions. The second link is the older in-tree VCP support which is going through a deprecation phase.

The docs should be here https://vsphere-csi-driver.sigs.k8s.io/driver-deployment/prerequisites.html#roles_and_privileges and what is documented is what a user account would look like for using the same CPI and CSI account for both. If you want only CPI support for the user account, then it would be those privileges minus the storage permissions.

For NSX-T, please take a look at the RBAC settings for an NSX-T admin here (3.0 is below but you can use the drop down for older versions): https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/administration/GUID-26C44DE8-1854-4B06-B6DA-A2FD426CDF44.html

onesolpark commented 4 years ago

@dvonthenen Thanks that really helped. Appreciate it :)

dvonthenen commented 4 years ago

/close

k8s-ci-robot commented 4 years ago

@dvonthenen: Closing this issue.

In response to [this](https://github.com/kubernetes/cloud-provider-vsphere/issues/373#issuecomment-672918408): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.