WilliamLam.com

Exploring the new vSphere Privilege Recorder in vSphere 8.0 Update 1

by // 3 Comments

Determining the minimum vSphere privileges that is required to perform a given vSphere operation (UI/API) has been a huge customer challenge to say the least. Strategies have included guessing along with trial and error by creating a custom vSphere Role and slowly removing privileges until you have identified the minimum required privileges. If you are familiar with the vSphere API and know exactly which API methods and properties are consumed, then you can use the vSphere API Reference since every method and property includes the specific privilege required in the documentation, but this method is pretty tedious and time consuming.

If only we had a way to record all the vSphere privilege that was used for a specific set of operation(s) in vCenter Server ... 🤔

Apparently I missed the initial news, but this was actually one of the new features that was introduced in vSphere 8.0 Update 1 called the vSphere Privilege Recorder! 😆

UPDATE (07/25/24) - Looks like the PowerCLI team has productized this capability with a new cmdlet introduced in PowerCLI 13.3 called Get-VIPrivilegeReport

[Read more...]

What is vc-ws1a-broker service on vCenter Server Appliance (VCSA)?

by // 2 Comments

When vSphere 8.0 Update 1 was released, I noticed an interesting message about containers being installed while deploying the vCenter Server Appliance (VCSA) ...

As shared in the Tweet/X above, it turns out this was for a service called vc-ws1a-broker, which I came to learn was for enabling the new Identity Federation Provider for the VCSA with Okta.

I ended up correctly guessing that the vc-ws1a-broker process was indeed our very own VMware Workspace One Access (WS1A) application but running as a Container workload within the VCSA. In vSphere 8.0 Update 2, support for Microsoft EntraID (formally Azure AD) is now also possible as additional identity provider option.

One important thing to be aware of the vc-ws1a-broker service is that it is configured to be able to consume up to 2GB of memory, as shown using the cloudvm-ram-size utility in the screenshot below.

[Read more...]

Building custom Tanzu Kubernetes Releases (TKR) for vSphere with Tanzu

by // 1 Comment

Right before going on PTO, I caught this really interesting tweet from my buddy Robert Guske that we now support building your own custom Tanzu Kubernetes Releases (TKR), the Kubernetes software distributions that is signed and supported by VMware, which is typically provided by VMware through the online TKR Content Library.

While there are already a number of existing customizations that can be applied when deploying a Tanzu Kubernetes Workload Cluster (TKC), there may still be certain VM configurations that you would like to add, which is simply not possible today. In some of the customer requests, it can be as simple as changing the default size of the primary disk for a TKR, which is statically configured today as 20GB.

With this and many other use cases, it is nice to see that we now finally provide customers with a supported method to build their own custom TKR that might include additional customizations that is required by their organization for use with vSphere with Tanzu.

I recently got a chance to play with the new vSphere Tanzu Kubernetes Grid Image Builder tool, which is also an open source project from VMware and leverages the existing Kubernetes Image Builder, which I have also used before (see this blog post HERE for more details). While getting started, it took me a few tries but I eventually got it working after speaking with the Developers as I ran into a few issues.

[Read more...]