docs/user/vsphere/privileges.md: Documented resource pool privileges

When installing into an existing resource pool, narrower permissions may be granted to the OpenShift user in vsphere.
openshift · Nov 15, 2021 · 1c3338e · 1c3338e
1 parent 76fba0e
commit 1c3338e
Showing 1 changed file with 27 additions and 5 deletions.
diff --git a/docs/user/vsphere/privileges.md b/docs/user/vsphere/privileges.md
@@ -7,14 +7,14 @@ If the provided user has global admin privileges, no further action for permissi
 
 The tables below describe the absolute minimal set of privileges to install and run OpenShift including Machine management and the vSphere Storage provider.
 
-### Fundamental Privileges
+### Fundamental (minimum) Privileges
 
-These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config.
+These privileges are necessary for OpenShift clusters on vSphere and are sufficient to install into an existing virtual machine folder and an existing resource pool. The privileges in the next section are necessary for the installer to provision a folder, which is the default behavior if no folder is specified in the install config. The priviliges in the third section are necessary for the installer to create VMs in the root of the cluster, which is the default behavior if no resource pool is specified in the install config.
 
 Role Name | vSphere object | Privilege Set
 --- | --- | ---
 openshift-vcenter-level | vSphere vCenter | Cns.Searchable<br/>InventoryService.Tagging.AttachTag<br/>InventoryService.Tagging.CreateCategory<br/>InventoryService.Tagging.CreateTag<br/>InventoryService.Tagging.DeleteCategory<br/>InventoryService.Tagging.DeleteTag<br/>InventoryService.Tagging.EditCategory<br/>InventoryService.Tagging.EditTag<br/>Sessions.ValidateSession<br/>StorageProfile.View
-openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage<br/>Resource.AssignVMToPool<br/>VApp.AssignResourcePool<br/>VApp.Import<br/>VirtualMachine.Config.AddNewDisk
+openshift-resourcepool-level | vSphere vCenter Resource Pool | Host.Config.Storage<br/>Resource.AssignVMToPool<br/>VApp.AssignResourcePool<br/>VApp.Import<br/>VirtualMachine.Config.AddNewDisk
 openshift-datastore-level| vSphere Datastore | Datastore.AllocateSpace<br/>Datastore.Browse<br/>Datastore.FileManagement
 openshift-portgroup-level | vSphere Port Group | Network.Assign
 openshift-folder-level| Virtual Machine Folder | Resource.AssignVMToPool<br/>VApp.Import<br/>VirtualMachine.Config.AddExistingDisk<br/>VirtualMachine.Config.AddNewDisk<br/>VirtualMachine.Config.AddRemoveDevice<br/>VirtualMachine.Config.AdvancedConfig<br/>VirtualMachine.Config.Annotation<br/>VirtualMachine.Config.CPUCount<br/>VirtualMachine.Config.DiskExtend<br/>VirtualMachine.Config.DiskLease<br/>VirtualMachine.Config.EditDevice<br/>VirtualMachine.Config.Memory<br/>VirtualMachine.Config.RemoveDisk<br/>VirtualMachine.Config.Rename<br/>VirtualMachine.Config.ResetGuestInfo<br/>VirtualMachine.Config.Resource<br/>VirtualMachine.Config.Settings<br/>VirtualMachine.Config.UpgradeVirtualHardware<br/>VirtualMachine.Interact.GuestControl<br/>VirtualMachine.Interact.PowerOff<br/>VirtualMachine.Interact.PowerOn<br/>VirtualMachine.Interact.Reset<br/>VirtualMachine.Inventory.Create<br/>VirtualMachine.Inventory.CreateFromExisting<br/>VirtualMachine.Inventory.Delete<br/>VirtualMachine.Provisioning.Clone
@@ -29,13 +29,35 @@ Role Name | vSphere object | Privilege Set
 --- | --- | ---
 openshift-datacenter-level| vSphere vCenter Datacenter | Resource.AssignVMToPool<br/>VApp.Import<br/>VirtualMachine.Config.AddExistingDisk<br/>VirtualMachine.Config.AddNewDisk<br/>VirtualMachine.Config.AddRemoveDevice<br/>VirtualMachine.Config.AdvancedConfig<br/>VirtualMachine.Config.Annotation<br/>VirtualMachine.Config.CPUCount<br/>VirtualMachine.Config.DiskExtend<br/>VirtualMachine.Config.DiskLease<br/>VirtualMachine.Config.EditDevice<br/>VirtualMachine.Config.Memory<br/>VirtualMachine.Config.RemoveDisk<br/>VirtualMachine.Config.Rename<br/>VirtualMachine.Config.ResetGuestInfo<br/>VirtualMachine.Config.Resource<br/>VirtualMachine.Config.Settings<br/>VirtualMachine.Config.UpgradeVirtualHardware<br/>VirtualMachine.Interact.GuestControl<br/>VirtualMachine.Interact.PowerOff<br/>VirtualMachine.Interact.PowerOn<br/>VirtualMachine.Interact.Reset<br/>VirtualMachine.Inventory.Create<br/>VirtualMachine.Inventory.CreateFromExisting<br/>VirtualMachine.Inventory.Delete<br/>VirtualMachine.Provisioning.Clone<br/>Folder.Create<br/>Folder.Delete
 
+### Resources installed in root of cluster (no resource pool)
+
+Including the role-set above one additional role needs to be created if the installer is to create VMs in the root of the cluster. Note that the privileges applied at the cluster-level in this case are the same as those applied at the resource-pool-level above.
+
+Role Name | vSphere object | Privilege Set
+--- | --- | ---
+openshift-cluster-level | vSphere vCenter Cluster | Host.Config.Storage<br/>Resource.AssignVMToPool<br/>VApp.AssignResourcePool<br/>VApp.Import<br/>VirtualMachine.Config.AddNewDisk
+
 ## Permission assignments
 
 The easiest way to ensure proper permissions is to grant Global Permissions to the user with the privileges above. Otherwise, it is necessary to ensure that the user with the listed privileges has permissions granted on all necessary entities in the vCenter.
 
 For more information, consult [vSphere Permissions and User Management Tasks][vsphere-perms]
 
-### Precreated virtual machine folder
+### Precreated virtual machine folder and resource pool
+
+Role Name | Propagate | Entity
+--- | --- | ---
+openshift-vcenter-level | False | vSphere vCenter
+ReadOnly | False | vSphere vCenter Datacenter
+ReadOnly | True | vSphere vCenter Cluster
+openshift-resourcepool-level | True | vSphere vCenter Resource Pool
+openshift-datastore-level | False | vSphere vCenter Datastore
+ReadOnly | False | vSphere Switch
+openshift-portgroup-level | False | vSphere Port Group
+openshift-folder-level | True | vSphere vCenter Virtual Machine folder
+
+
+### Precreated virtual machine folder without resource pool
 
 Role Name | Propagate | Entity
 --- | --- | ---
@@ -48,7 +70,7 @@ openshift-portgroup-level | False | vSphere Port Group
 openshift-folder-level | True | vSphere vCenter Virtual Machine folder
 
 
-### Installer created virtual machine folder
+### Installer created virtual machine folder without resource pool
 Role Name | Propagate | Entity
 --- | --- | ---
 openshift-vcenter-level | False | vSphere vCenter