Closed onesolpark closed 4 years ago
vSphere access is minimally required for:
@mandelsoft would you know what the minimum role would be to enable this functionality? I am guessing that the CPI user account would probably need to be assigned to the role NsxAdministrator in the worst case, but I'm guessing that could possibly be pared-down.
@dvonthenen Do you have the list of permissions needed for vsphere users? I went searched the vcpctl part (where it makes users with minimum authz) and ended up in govmomi repo (https://github.com/vmware/govmomi/blob/master/simulator/esx/authorization_manager.go) Is this the minimum requirement for vsphere users for CPI?
Or is this the minimum permission needed? https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/vcp-roles.html#overview
It's neither. The first link is just a dump of permissions. The second link is the older in-tree VCP support which is going through a deprecation phase.
The docs should be here https://vsphere-csi-driver.sigs.k8s.io/driver-deployment/prerequisites.html#roles_and_privileges and what is documented is what a user account would look like for using the same CPI and CSI account for both. If you want only CPI support for the user account, then it would be those privileges minus the storage permissions.
For NSX-T, please take a look at the RBAC settings for an NSX-T admin here (3.0 is below but you can use the drop down for older versions): https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.0/administration/GUID-26C44DE8-1854-4B06-B6DA-A2FD426CDF44.html
@dvonthenen Thanks that really helped. Appreciate it :)
/close
@dvonthenen: Closing this issue.
Is this a BUG REPORT or FEATURE REQUEST?:
/kind feature
What happened: Unable to use just the NSX-T type loadbalancer implementation without access to vsphere.
What you expected to happen: Support using only NSX-T Type LoadBalancer Implementation in cloud provider
How to reproduce it (as minimally and precisely as possible): Cloud Provider fails when access(network or client) to vsphere fails.
Anything else we need to know?: We've been testing the new nsx-t loadbalancer feature added in 1.2.0 and it looks great :)
But we need user credentials to vsphere to use the loadbalancer feature. Is it possible to just use the nsx-t type loadbalancer implementation?
Also, If credential to vsphere is a necessary what is the minimum role needed for the vsphere user? Thanks in advance.