In order to install an OpenShift cluster to a vCenter, the user provided to the installer needs privileges to read and create the necessary resources. The easiest way to achieve this level of permission and ensure success is to install with a user who has global administrative privileges.
If the provided user has global admin privileges, no further action for permissions is required. Otherwise, the rest of this document can be used as a resource to create a user with more fine-grained privileges.
The tables below describe the absolute minimal set of privileges to install and run OpenShift including Machine management and the vSphere Storage provider.
These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder and an existing resource pool. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config. The priviliges in the third section are necessary for the installer to create VMs in the root of the cluster, which is the default behavior if no resource pool is specified in the install config.
| Role Name | vSphere object | Privilege Set |
|---|---|---|
| openshift-vcenter-level | vSphere vCenter | Cns.Searchable InventoryService.Tagging.AttachTag InventoryService.Tagging.CreateCategory InventoryService.Tagging.CreateTag InventoryService.Tagging.DeleteCategory InventoryService.Tagging.DeleteTag InventoryService.Tagging.EditCategory InventoryService.Tagging.EditTag Sessions.ValidateSession StorageProfile.Update StorageProfile.View |
| openshift-resourcepool-level | vSphere vCenter Resource Pool | Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk |
| openshift-datastore-level | vSphere Datastore | Datastore.AllocateSpace Datastore.Browse Datastore.FileManagement |
| openshift-portgroup-level | vSphere Port Group | Network.Assign |
| openshift-folder-level | Virtual Machine Folder | Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone VirtualMachine.Provisioning.DeployTemplate VirtualMachine.Provisioning.MarkAsTemplate |
Including the role-set above one additional role needs to be created if the installer is to create a vSphere virtual machine folder.
Since the datacenter's top-level virtual machine folder is hidden the only way to support installation that creates a vm folder for the OpenShift cluster is to create a new datacenter role and propagate. Once installation is complete the openshift-folder-level role could be applied to the folder that the installer created.
| Role Name | vSphere object | Privilege Set |
|---|---|---|
| openshift-datacenter-level | vSphere vCenter Datacenter | Resource.AssignVMToPool VApp.Import VirtualMachine.Config.AddExistingDisk VirtualMachine.Config.AddNewDisk VirtualMachine.Config.AddRemoveDevice VirtualMachine.Config.AdvancedConfig VirtualMachine.Config.Annotation VirtualMachine.Config.CPUCount VirtualMachine.Config.DiskExtend VirtualMachine.Config.DiskLease VirtualMachine.Config.EditDevice VirtualMachine.Config.Memory VirtualMachine.Config.RemoveDisk VirtualMachine.Config.Rename VirtualMachine.Config.ResetGuestInfo VirtualMachine.Config.Resource VirtualMachine.Config.Settings VirtualMachine.Config.UpgradeVirtualHardware VirtualMachine.Interact.GuestControl VirtualMachine.Interact.PowerOff VirtualMachine.Interact.PowerOn VirtualMachine.Interact.Reset VirtualMachine.Inventory.Create VirtualMachine.Inventory.CreateFromExisting VirtualMachine.Inventory.Delete VirtualMachine.Provisioning.Clone VirtualMachine.Provisioning.DeployTemplate VirtualMachine.Provisioning.MarkAsTemplate Folder.Create Folder.Delete |
Including the role-set above one additional role needs to be created if the installer is to create VMs in the root of the cluster. Note that the privileges applied at the cluster-level in this case are the same as those applied at the resource-pool-level above.
| Role Name | vSphere object | Privilege Set |
|---|---|---|
| openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage Resource.AssignVMToPool VApp.AssignResourcePool VApp.Import VirtualMachine.Config.AddNewDisk |
The easiest way to ensure proper permissions is to grant Global Permissions to the user with the privileges above. Otherwise, it is necessary to ensure that the user with the listed privileges has permissions granted on all necessary entities in the vCenter.
For more information, consult vSphere Permissions and User Management Tasks
| Role Name | Propagate | Entity |
|---|---|---|
| openshift-vcenter-level | False | vSphere vCenter |
| ReadOnly | False | vSphere vCenter Datacenter |
| ReadOnly | True | vSphere vCenter Cluster |
| openshift-resourcepool-level | True | vSphere vCenter Resource Pool |
| openshift-datastore-level | False | vSphere vCenter Datastore |
| ReadOnly | False | vSphere Switch |
| openshift-portgroup-level | False | vSphere Port Group |
| openshift-folder-level | True | vSphere vCenter Virtual Machine folder |
| Role Name | Propagate | Entity |
|---|---|---|
| openshift-vcenter-level | False | vSphere vCenter |
| ReadOnly | False | vSphere vCenter Datacenter |
| openshift-cluster-level | True | vSphere vCenter Cluster |
| openshift-datastore-level | False | vSphere vCenter Datastore |
| ReadOnly | False | vSphere Switch |
| openshift-portgroup-level | False | vSphere Port Group |
| openshift-folder-level | True | vSphere vCenter Virtual Machine folder |
| Role Name | Propagate | Entity |
|---|---|---|
| openshift-vcenter-level | False | vSphere vCenter |
| openshift-datacenter-level | True | vSphere vCenter Datacenter |
| openshift-cluster-level | True | vSphere vCenter Cluster |
| openshift-datastore-level | False | vSphere vCenter Datastore |
| ReadOnly | False | vSphere Switch |
| openshift-portgroup-level | False | vSphere Port Group |
The following is a visual walkthrough of creating and assigning global roles in the vSphere 6 web client. Roles can be similarly created for specific clusters. For more information, refer to the vSphere docs.
Roles can be created and edited in Administration > Access Control > Roles.
When creating a new role, first assign permissions (using the list above for guidance):
Once you save your role, the new privileges will be visible:
Roles can be assigned in Administration > Access Control > Global Permissions. The newly created role can be assigned to a group or directly to a user.
To assign the newly created role, click the + for Add Permission:
