Adding minimal set of privileges required for vSphere Cloud Provider #2989
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
| @@ -55,6 +55,31 @@ export GOVC_INSECURE=1 | |||
| govc vm.change -e="disk.enableUUID=1" -vm=<VMNAME> | |||
| ``` | |||
|
|
|||
| * Create Role and User with Required Privileges for vSPhere Cloud Provider | |||
| @@ -55,6 +55,31 @@ export GOVC_INSECURE=1 | |||
| govc vm.change -e="disk.enableUUID=1" -vm=<VMNAME> | |||
| ``` | |||
|
|
|||
| * Create Role and User with Required Privileges for vSPhere Cloud Provider | |||
|
|
|||
| vSphere Cloud Provider requires following minimal set of privileges to interact with vCenter. | |||
There was a problem hiding this comment.
"requires following" -> "requires the following"
Replace period at the end of the sentence with colon ":"
|
Based on feedback kubernetes/kubernetes#43471 and my own experience, read permission on whole VC is needed. Is kubernetes/kubernetes#43471 and myself missing something in why this PR does not include it? |
|
@kerneltime regarding read permission on whole VC, I am following up with @eicnix to know about vCenter version. On 6.5 vCenter, I was able to monitor PV creation task without read only permission on whole VC. |
|
@kerneltime we were missing permission at VC Level. if permission is given at Data Center or Host Level, we get null pointer exception. Verified same set of Privileges works fine on vCenter 5.5 see latest comment at kubernetes/kubernetes#43471 |
|
@erictune can you approve this PR? |
|
/approve |
|
/lgtm |
Changes:
Added minimal set of privileges required for vSphere Cloud Provider.
Removed resolved known issues.
Notes of Reviewers:
Verified privileges on vCenter 6.5 with Kubernetes 1.5.3 cluster.
Performed following operations
Create Storage Class, Create PVC, Create POD, Delete POD, Delete Volume.
Verified Disk attach/detach volume create/delete is working fine with these set of privileges.
CC: @abrarshivani @BaluDontu @luomiao @tusharnt @pdhamdhere @kerneltime
This change is