[VMware Tanzu] grant vCenter sso users Tanzu object access

shmoon2·2022년 10월 14일


목록 보기

VMware Tanzu supports k8s infrastructure on legacy VMware vCenter.(well you need version 7.0+) with VMware Tanzu you can manage k8s resources with vCenter UI or CLI(kubectl-vsphere, tanzucli)

Permission is always a beginning to everything. a sso user can be added to Tanzu namespace and then has access to k8s resources on kubectl.

and it's that easy to add on vCenter UI.

I'm restless. can't do this every time manually. do Tanzu have a API for this?
opened a SR and here's the answer.

Below is my answer on your query:-
Yes, you can give permission to users using kubectl command also, in both supervisor cluster as well as in TKCs. To give permission, you need to create clusterrolebinding/rolebinding inside the cluster.

You can check the role on cluster and bind it with user to give permission:-
1) To check roles in cluster, run below command (where you will also find “admin”, “view”, “edit” role).
kubectl get clusterrole
kubectl get role -n <namespace>
2) And to assign that role to users, you need to create clusterrolebinding/rolebinding. Refer below doc
Refer https://docs.vmware.com/en/VMware-vSphere/7.0/vmware-vsphere-with-tanzu/GUID-6DE4016E-D51C-4E9B-9F8B-F6577A18F296.html

says yes we can. ref
all that was needed was a simple rolebinding.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: rolebinding-cluster-user-joe
  namespace: default
  kind: ClusterRole
  name: edit                             #Default ClusterRole
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: sso:joe@vsphere.local            #sso:<username>@<domain>
  apiGroup: rbac.authorization.k8s.io

above yaml code is a clusterrolebinding which have higher access level. to restrict access to each namespace, use rolebinding.


Tanzu was a k8s tool afterall. stick to the basics.

I live fullest

0개의 댓글