WilliamLam.com

Closer look at vSphere Permissions for vSphere with Tanzu 

by // 3 Comments

Questions regarding vSphere Permissions for vSphere with Tanzu has been frequently brought up more lately and the majority of questions that I have seen, has primarily focused on the behavior of the vSphere UI Inventory. After taking a closer look and experimenting with a few permutations within my lab, I realized that most folks were simply focusing on what they were most familiar with, which is using the vSphere UI to interact with vSphere.

Although vSphere with Tanzu is tightly integrated with vSphere and the vSphere UI is certainly a primary interface, it is certainly not the only interface nor is it always the interface for end users like a developer. Depending on the needs of your end users and how your organization wishes to grant access to a vSphere Namespace, there are actually a few options that are available to you. In fact, users can interact with vSphere with Tanzu without ever logging into the vSphere UI and that is completely valid and may even be desirable for some organizations.

Note: The custom kubectl plugin for vSphere (kubectl-vsphere) which is needed to interact with vSphere with Tanzu can be downloaded by simply opening a browser (or use wget) to following URL: https://[SUPERVISOR-CLUSTER-IP]/wcp/plugin/[OS]-amd64/vsphere-plugin.zip, where OS is darwin, linux or windows (e.g. https://172.17.33.33/wcp/plugin/darwin-amd64/vsphere-plugin.zip)

Below are the results of my testing using the various vSphere Roles and Groups including the various behavior across the different consumption interfaces including the vSphere UI. To help better illustrate the results, I am also using some example personas, these are purely used as an example and may differ based on your organizational needs.

Persona: VI/Cloud Admin

In this scenario, the user is a vSphere Administrator and has the following memberships:

  • vSphere Role: Administrator
  • vSphere SSO Group: Administrators
  • vSphere Namespace: SSO User and/or Active Directory User

The user will be able to view and manage all vSphere infrastructure including the vSphere Namespaces and the respective workloads including TKG Workload Clusters and/or VMs via the VM Service.

Here is a summary of this users access:

[Read more...]

Quick Tip - vSphere Permission to view vSphere with Tanzu Namespaces

by // 6 Comments

If you wish to create a custom vSphere Role that has the ability to view vSphere Namespaces which is part of vSphere with Tanzu, you will need to add the user to the following vSphere Single Sign-On Group: ServiceProviderUsers, which is located under Single Sign On->Users and Groups->Groups (2nd page) within the vSphere UI.


Once added, you can logout and log back in and the user should now see the vSphere Namespaces as shown in the screenshot below. In my example, I have a user named william which is created in the default vsphere.local domain and has been assigned the user the vSphere Read Only role along with this additional SSO group. They will be able to view all resources but will not have permission to make any changes to the infrastructure. If you are using Active Directory, the exact same process works and just make sure you log out and log back in for the changes to take effect.

Can I deploy both Tanzu Kubernetes Grid (TKG) and vSphere with Tanzu on same vSphere Cluster?

by // Leave a Comment

A simple question with a simple answer, yes! I have seen this question get asked in various internal Slack channels on whether you can deploy both Tanzu Kubernetes Grid (TKG) and vSphere with Tanzu (formally Project Pacific) on the same vSphere Cluster? If you were an early user of TKG, you may recall that if you attempted to deploy TKG to a vSphere Cluster which already had vSphere with Tanzu enabled, it would prevent you from proceeding. Instead of having to deploy another Kubernetes management control plane, you could simply leverage and connect to the Supervisor Cluster control plane using the TKG CLI and start deploying TKG Workload Clusters.

From a technical standpoint, there is no reason that TKG and vSphere with Tanzu could not co-exist on the same vSphere Cluster. In fact, this request has come up a number of times that the original TKG behavior has been recently updated to now allow for this co-existence. From an exploratory and learning point of view, this is quite useful to be able to try out both solution and not have to dedicate a specific vSphere Cluster for each of the Tanzu Kubernetes (K8s) offerings. A more practical use case that came up recently from a customer was being able to use both solution as a way to consolidate their workloads using a specific Tanzu K8s solution, which makes total sense. Today, there are still some differences in terms of the features and capabilities between TKG and vSphere with Tanzu and depending on your needs, you may have a use case for both in your environment.

[Read more...]