Skip to content

Latest commit

 

History

History
182 lines (126 loc) · 4.15 KB

README.md

File metadata and controls

182 lines (126 loc) · 4.15 KB
Raw

vSphere Privileges Summary

Rancher vSphere CPI

These are the minimum privileges required for using Rancher vSphere CPI and/or Cloud Credential.

Datastore {#cpi}

  • Allocate space
  • Browse datastore
  • Low level file operations

Network {#cpi}

  • Assign network

Profile-driven storage {#cpi}

📝 This privilege is for vSphere 7. For vSphere 8, use VM storage policies) instead.

  • Profile-driven storage view

Resource {#cpi}

  • Assign virtual machine to resource pool

vApp {#cpi}

📝 If not deploying from a Content Library these privileges can be omitted.

  • Create
  • Import

Virtual machine {#cpi}

Change Configuration {#cpi}

  • Add existing disk
  • Add new disk
  • Add or remove device
  • Advanced configuration
  • Change CPU count
  • Change Memory
  • Change Settings
  • Change resource
  • Display connection settings
  • Extend virtual disk
  • Modify device settings
  • Remove disk
  • Rename
  • Reset guest information

Edit Inventory {#cpi}

  • Create from existing
  • Create new
  • Move
  • Register
  • Remove
  • Unregister

Guest operations {#cpi}

  • Guest operation alias modification
  • Guest operation alias query
  • Guest operation modifications
  • Guest operation program execution
  • Guest operation queries

Interaction {#cpi}

  • Configure CD media
  • Connect devices
  • Install VMware Tools
  • Power off
  • Power on
  • Reset

Provisioning {#cpi}

  • Allow disk access
  • Allow file access
  • Clone template
  • Customize guest
  • Deploy template
  • Modify customization specification
  • Read customization specifications

VM storage policies {#cpi}

📝 These privileges are for vSphere 8. For vSphere 7, use Profile-driven storage instead.

  • Apply VM storage policies
  • View VM storage policies

vSphere Tagging {#cpi}

  • Assign or Unassign vSphere Tag
  • Assign or Unassign vSphere Tag on Object

Rancher vSphere CSI

These are the minimum privileges required to provision and attach Rancher vSphere CSI volumes. If not using vSAN, vSphere CSI volumes can be RWO only.

Cns {#csi}

  • Searchable

Datastore {#csi}

  • Low level file operations

Host {#csi}

  • Configuration
  • Storage partition configuration

Profile-driven storage {#csi}

📝 This privilege is for vSphere 7. For vSphere 8, use VM storage policies) instead.

  • Profile-driven storage view

Virtual machine {#csi}

Change Configuration {#csi}

  • Add existing disk
  • Add or remove device
  • Remove disk

VM storage policies {#csi}

📝 These privileges are for vSphere 8. For vSphere 7, use Profile-driven storage instead.

  • Apply VM storage policies
  • View VM storage policies

Helm Configuration Examples

Below are basic CPI & CSI Helm chart values for an RKE2 cluster. More comprehensive values.yaml examples are in the RKE2 Charts GitHub repository:

For guidance on deploying these charts via Terraform plan, see HERE.

CPI

rancher-vsphere-cpi:
  vCenter:
    host: <vcenter_server>
    port: 443
    insecureFlag: true
    datacenters: <vsphere_datacenter>
    username: <cpi_username>
    password: <cpi_password>
    credentialsSecret:
      name: "vsphere-cpi-creds"
      generate: true

CSI

rancher-vsphere-csi:
  vCenter:
    host: <vcenter_server>
    port: 443
    insecureFlag: "1"
    datacenters: <vsphere_datacenter>
    username: <csi_username>
    password: <csi_password>
    configSecret:
      name: "vsphere-config-secret"
      generate: true
  storageClass:
    allowVolumeExpansion: true  # Optional Value
    datastoreURL: <ds://datastore_url/>