DevOps vCenter access within vSphere with Tanzu
With the launch of vSphere 7 with Tanzu and the new Workload Management control plane, The DevOps persona can independently interact with the Workload Management platform to deploy new workload objects, like vSphere PODs, VMs, and Kubernetes clusters without the help or need to the vCenter UI or APIs. The VI admin creates the appropriate RBAC within the new Workload Management interface, which decouples the need for the DevOps users to directly access the vCenter UI/API for performing the day-to-day job. While all the authentication is proxied through the vCenter, most interactions do not interface directly.
While the above feature is beneficial, the DevOps persona does not have direct access to the corresponding vCenter objects they are working on. This feature may prove inconvenient at times.
Let’s take a look at how a vSphere administrator sees the UI and has access to the visibility to the Workload Management objects.
In this example, the
devops user has created a Supervisor Namespace
demo1 .Within it, the user has deployed a Tanzu Kubernetes Cluster
workload-vsphere-tkg2 . If we grant the
devop user Read-Only role within the vCenter, they should ideally be able to view the
demo1 Supervisor Namespace and the
workload-vsphere-tkg2 clusters. But this is not the case.
In the above screen, the
devops user has
Read-only role defined at the vCenter level. The screenshot below is the view for the
devops user. As you can see, the entire
Namespace resource pool and its children are not visible to the user.
So how do we solve the problem and allow the DevOps user to view the Supervisor Namespaces and the objects?
- Log in as an administrator with the vCenter UI and create a Workload Management superuser (if not already created). This user can be a member of any Identity Provider configured within the vCenter. In my example, the name of the user is
- Grant this user
administratorrole at the vCenter level.
- Add the user —
wcpadmin— to the
ServiceProviderUsersgroup. This action allows the
wcpadminuser to access and manage all Workload Management objects, including permissions. Note that this is not an official VMware-approved solution.
govc commands automate the steps that we performed above.
$ govc sso.user.create -p Password -R Admin wcpadmin
$ govc permissions.set -principal="wcpadmin@VSPHERE.LOCAL" -propagate=true -role=Admin /
$ govc sso.group.update -a=wcpadmin ServiceProviderUsers
- Now log in to the vCenter with the user —
wcpadminand navigate to
Namespacesresource pool within the
Host and Clusterview.
- Right-click on
Namespacesand click on
Add Permissions.... As per the screenshot below, add the relevant permissions for the desired
devopsuser, granting them the expected roles. And that's it!!!
Log in to the vCenter with the DevOps user credentials. The user now can access all the Supervisor objects that are within the
Namespace resource pool.
You can delete the
wcpadmin user once the above verification is completed.