DevOps vCenter access within vSphere with Tanzu

With the launch of vSphere 7 with Tanzu and the new Workload Management control plane, The DevOps persona can independently interact with the Workload Management platform to deploy new workload objects, like vSphere PODs, VMs, and Kubernetes clusters without the help or need to the vCenter UI or APIs. The VI admin creates the appropriate RBAC within the new Workload Management interface, which decouples the need for the DevOps users to directly access the vCenter UI/API for performing the day-to-day job. While all the authentication is proxied through the vCenter, most interactions do not interface directly.

While the above feature is beneficial, the DevOps persona does not have direct access to the corresponding vCenter objects they are working on. This feature may prove inconvenient at times.
Let’s take a look at how a vSphere administrator sees the UI and has access to the visibility to the Workload Management objects.

In this example, the devops user has created a Supervisor Namespace demo1 .Within it, the user has deployed a Tanzu Kubernetes Cluster workload-vsphere-tkg2 . If we grant the devop user Read-Only role within the vCenter, they should ideally be able to view thedemo1 Supervisor Namespace and the workload-vsphere-tkg2 clusters. But this is not the case.

In the above screen, the devops user has Read-only role defined at the vCenter level. The screenshot below is the view for the devops user. As you can see, the entire Namespace resource pool and its children are not visible to the user.

So how do we solve the problem and allow the DevOps user to view the Supervisor Namespaces and the objects?

  • Log in as an administrator with the vCenter UI and create a Workload Management superuser (if not already created). This user can be a member of any Identity Provider configured within the vCenter. In my example, the name of the user is wcpadmin@vsphere.local.
  • Grant this user administrator role at the vCenter level.
  • Add the user — wcpadmin — to the ServiceProviderUsers group. This action allows the wcpadmin user to access and manage all Workload Management objects, including permissions. Note that this is not an official VMware-approved solution.

The following govc commands automate the steps that we performed above.

$ govc sso.user.create -p Password -R Admin wcpadmin
$ govc permissions.set -principal="wcpadmin@VSPHERE.LOCAL" -propagate=true -role=Admin /
$ govc sso.group.update -a=wcpadmin ServiceProviderUsers
  • Now log in to the vCenter with the userwcpadmin and navigate to Namespaces resource pool within the Host and Cluster view.
  • Right-click on Namespacesand click on Add Permissions... . As per the screenshot below, add the relevant permissions for the desired devops user, granting them the expected roles. And that's it!!!

Log in to the vCenter with the DevOps user credentials. The user now can access all the Supervisor objects that are within the Namespace resource pool.

You can delete the wcpadmin user once the above verification is completed.