User Privileges on vSphere

This appendix contains the following topic:

User Privileges on vSphere

The following table provides the minimal set of privileges that are required by the vSphere user to execute the relevant operations in vCenter.

Roles

Privileges

Entities

Propagate to Children

manage-k8s-node-vms

Resource.AssignVMToPool

System.Anonymous

System.Read

System.View

VirtualMachine.Config.AddExistingDisk

VirtualMachine.Config.AddNewDisk

VirtualMachine.Config.AddRemoveDevice

VirtualMachine.Config.RemoveDisk

VirtualMachine.Inventory.Create

VirtualMachine.Inventory.Delete

Cluster, Hosts, VM folder

Yes

manage-k8s-volumes

Datastore.AllocateSpace

Datastore.FileManagement

System.Anonymous

System.Read

System.View

Datastore

No

k8s-system-read-and-spbmprofile-view

StorageProfile.View

System.Anonymous

System.Read

System.View

vCenter

No

ReadOnly

System.Anonymous

System.Read

System.View

Datacenter, Datastore cluster, Datastore storage folder

Yes

ccp-register-extension

Extension.Register

Extension.Unregister

Extension.Update

vCenter

No

CCP_Admin

Extension.Register

Extension.Unregister

Extension.Update

Resource.AssignVMToPool

Network.Assign

StorageProfile.View

System.Anonymous

System.Read

System.View

VirtualMachine.Config.AddExistingDisk

VirtualMachine.Config.AddNewDisk

VirtualMachine.Config.AddRemoveDevice

VirtualMachine.Config.RemoveDisk

VirtualMachine.Config.CPUCount

VirtualMachine.Config.AdvancedConfig

VirtualMachine.Config.Resource

VirtualMachine.Config.ManagedBy

VirtualMachine.Config.DiskExtend

VirtualMachine.Config.Memory

VirtualMachine.Config.Settings

VirtualMachine.Config.RawDevice

VirtualMachine.Inventory.Create

VirtualMachine.Inventory.Remove

VirtualMachine.Provisioning.Clone

VirtualMachine.Provisioning.CreateTemplateFromVM

VirtualMachine.Provisioning.DeployTemplate

VApp.Import

VApp.PowerOn

VApp.PowerOff

VApp.Suspend

VApp.ResourceConfig

VApp.InstanceConfig

VApp.ApplicationConfig

VApp.ManagedByConfig

Cluster, Hosts, Vcenter, Datastore, Datastore cluster

Yes

For more information on adding a provider profile, see Adding vSphere Provider Profile.

Erase User Data

You need to erase user data and return a cluster to a clean state when its physical media is replaced or removed. When working with Virtual Volumes, deleting or overwriting a file is not adequate for completely erasing user data. File systems do not overwrite the disk blocks that contain data. This means that deletion of a VM or datastore does not erase user data. In order to securely erase user data, you need to erase the physical storage underlying the datastore.

For more information on securely erasing user data from a cluster, refer to the latest documentation from your storage vendor.