github.com/openshift/installer@v1.4.17/docs/user/vsphere/privileges.md

github.com/openshift/installer@v1.4.17/docs/user/vsphere/privileges.md (about)

     1  # Required Privileges & Permissions
     2  In order to install an OpenShift cluster to a vCenter, the user provided to the installer needs privileges to read and create the necessary resources. The easiest way to achieve this level of permission and ensure success is to install with a user who has global administrative privileges.
     3  
     4  If the provided user has global admin privileges, no further action for permissions is required. Otherwise, the rest of this document can be used as a resource to create a user with more fine-grained privileges.
     5  
     6  ## Create new roles with the appropriate privileges
     7  
     8  The tables below describe the absolute minimal set of privileges to install and run OpenShift including Machine management and the vSphere Storage provider.
     9  
    10  ### Fundamental (minimum) Privileges
    11  
    12  These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder and an existing resource pool. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config. The priviliges in the third section are necessary for the installer to create VMs in the root of the cluster, which is the default behavior if no resource pool is specified in the install config.
    13  
    14  Role Name | vSphere object | Privilege Set
    15  --- | --- | ---
    16  openshift-vcenter-level | vSphere vCenter | Cns.Searchable<br/>InventoryService.Tagging.AttachTag<br/>InventoryService.Tagging.CreateCategory<br/>InventoryService.Tagging.CreateTag<br/>InventoryService.Tagging.DeleteCategory<br/>InventoryService.Tagging.DeleteTag<br/>InventoryService.Tagging.EditCategory<br/>InventoryService.Tagging.EditTag<br/>Sessions.ValidateSession<br/>StorageProfile.Update<br/>StorageProfile.View
    17  openshift-resourcepool-level | vSphere vCenter Resource Pool | Host.Config.Storage<br/>Resource.AssignVMToPool<br/>VApp.AssignResourcePool<br/>VApp.Import<br/>VirtualMachine.Config.AddNewDisk
    18  openshift-datastore-level| vSphere Datastore | Datastore.AllocateSpace<br/>Datastore.Browse<br/>Datastore.FileManagement
    19  openshift-portgroup-level | vSphere Port Group | Network.Assign
    20  openshift-folder-level| Virtual Machine Folder | Resource.AssignVMToPool<br/>VApp.Import<br/>VirtualMachine.Config.AddExistingDisk<br/>VirtualMachine.Config.AddNewDisk<br/>VirtualMachine.Config.AddRemoveDevice<br/>VirtualMachine.Config.AdvancedConfig<br/>VirtualMachine.Config.Annotation<br/>VirtualMachine.Config.CPUCount<br/>VirtualMachine.Config.DiskExtend<br/>VirtualMachine.Config.DiskLease<br/>VirtualMachine.Config.EditDevice<br/>VirtualMachine.Config.Memory<br/>VirtualMachine.Config.RemoveDisk<br/>VirtualMachine.Config.Rename<br/>VirtualMachine.Config.ResetGuestInfo<br/>VirtualMachine.Config.Resource<br/>VirtualMachine.Config.Settings<br/>VirtualMachine.Config.UpgradeVirtualHardware<br/>VirtualMachine.Interact.GuestControl<br/>VirtualMachine.Interact.PowerOff<br/>VirtualMachine.Interact.PowerOn<br/>VirtualMachine.Interact.Reset<br/>VirtualMachine.Inventory.Create<br/>VirtualMachine.Inventory.CreateFromExisting<br/>VirtualMachine.Inventory.Delete<br/>VirtualMachine.Provisioning.Clone<br/>VirtualMachine.Provisioning.DeployTemplate<br/>VirtualMachine.Provisioning.MarkAsTemplate
    21  
    22  
    23  ### Installer created virtual machine folder
    24  
    25  Including the role-set above one additional role needs to be created if the installer is to create a vSphere virtual machine folder.
    26  Since the datacenter's top-level virtual machine folder is hidden the only way to support installation that creates a vm folder for the OpenShift cluster is to create a new datacenter role and propagate. Once installation is complete the `openshift-folder-level` role could be applied to the folder that the installer created.
    27  
    28  Role Name | vSphere object | Privilege Set
    29  --- | --- | ---
    30  openshift-datacenter-level| vSphere vCenter Datacenter | Resource.AssignVMToPool<br/>VApp.Import<br/>VirtualMachine.Config.AddExistingDisk<br/>VirtualMachine.Config.AddNewDisk<br/>VirtualMachine.Config.AddRemoveDevice<br/>VirtualMachine.Config.AdvancedConfig<br/>VirtualMachine.Config.Annotation<br/>VirtualMachine.Config.CPUCount<br/>VirtualMachine.Config.DiskExtend<br/>VirtualMachine.Config.DiskLease<br/>VirtualMachine.Config.EditDevice<br/>VirtualMachine.Config.Memory<br/>VirtualMachine.Config.RemoveDisk<br/>VirtualMachine.Config.Rename<br/>VirtualMachine.Config.ResetGuestInfo<br/>VirtualMachine.Config.Resource<br/>VirtualMachine.Config.Settings<br/>VirtualMachine.Config.UpgradeVirtualHardware<br/>VirtualMachine.Interact.GuestControl<br/>VirtualMachine.Interact.PowerOff<br/>VirtualMachine.Interact.PowerOn<br/>VirtualMachine.Interact.Reset<br/>VirtualMachine.Inventory.Create<br/>VirtualMachine.Inventory.CreateFromExisting<br/>VirtualMachine.Inventory.Delete<br/>VirtualMachine.Provisioning.Clone<br/>VirtualMachine.Provisioning.DeployTemplate<br/>VirtualMachine.Provisioning.MarkAsTemplate<br/>Folder.Create<br/>Folder.Delete
    31  
    32  ### Resources installed in root of cluster (no resource pool)
    33  
    34  Including the role-set above one additional role needs to be created if the installer is to create VMs in the root of the cluster. Note that the privileges applied at the cluster-level in this case are the same as those applied at the resource-pool-level above.
    35  
    36  Role Name | vSphere object | Privilege Set
    37  --- | --- | ---
    38  openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage<br/>Resource.AssignVMToPool<br/>VApp.AssignResourcePool<br/>VApp.Import<br/>VirtualMachine.Config.AddNewDisk
    39  
    40  ## Permission assignments
    41  
    42  The easiest way to ensure proper permissions is to grant Global Permissions to the user with the privileges above. Otherwise, it is necessary to ensure that the user with the listed privileges has permissions granted on all necessary entities in the vCenter.
    43  
    44  For more information, consult [vSphere Permissions and User Management Tasks][vsphere-perms]
    45  
    46  ### Precreated virtual machine folder and resource pool
    47  
    48  Role Name | Propagate | Entity
    49  --- | --- | ---
    50  openshift-vcenter-level | False | vSphere vCenter
    51  ReadOnly | False | vSphere vCenter Datacenter
    52  ReadOnly | True | vSphere vCenter Cluster
    53  openshift-resourcepool-level | True | vSphere vCenter Resource Pool
    54  openshift-datastore-level | False | vSphere vCenter Datastore
    55  ReadOnly | False | vSphere Switch
    56  openshift-portgroup-level | False | vSphere Port Group
    57  openshift-folder-level | True | vSphere vCenter Virtual Machine folder
    58  
    59  
    60  ### Precreated virtual machine folder without resource pool
    61  
    62  Role Name | Propagate | Entity
    63  --- | --- | ---
    64  openshift-vcenter-level | False | vSphere vCenter
    65  ReadOnly | False | vSphere vCenter Datacenter
    66  openshift-cluster-level | True | vSphere vCenter Cluster
    67  openshift-datastore-level | False | vSphere vCenter Datastore
    68  ReadOnly | False | vSphere Switch
    69  openshift-portgroup-level | False | vSphere Port Group
    70  openshift-folder-level | True | vSphere vCenter Virtual Machine folder
    71  
    72  
    73  ### Installer created virtual machine folder without resource pool
    74  Role Name | Propagate | Entity
    75  --- | --- | ---
    76  openshift-vcenter-level | False | vSphere vCenter
    77  openshift-datacenter-level | True | vSphere vCenter Datacenter
    78  openshift-cluster-level | True | vSphere vCenter Cluster
    79  openshift-datastore-level | False | vSphere vCenter Datastore
    80  ReadOnly | False | vSphere Switch
    81  openshift-portgroup-level | False | vSphere Port Group
    82  
    83  
    84  ## Walkthrough: Creating and Assigning Global Roles
    85  The following is a visual walkthrough of creating and assigning global roles in the vSphere 6 web client. Roles can be similarly created for specific clusters. For more information, refer to the [vSphere docs][vsphere-docs].
    86  
    87  ### Creating a new role
    88  Roles can be created and edited in __Administration > Access Control > Roles__.
    89  
    90  When creating a new role, first assign permissions (using the list above for guidance):
    91  ![Select privileges](images/select-privileges.png)
    92  
    93  Once you save your role, the new privileges will be visible:
    94  ![View privileges](images/view-privileges.png)
    95  
    96  ### Assigning a role
    97  Roles can be assigned in __Administration > Access Control > Global Permissions__.
    98  The newly created role can be assigned to a group or directly to a user.
    99  
   100  To assign the newly created role, click the `+` for Add Permission:
   101  ![Assign role](images/assign-role.png)
   102  
   103  [vsphere-docs]: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html
   104  [vsphere-perms]: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-5372F580-5C23-4E9C-8A4E-EF1B4DD9033E.html