To ensure that the Tanzu Data Management Console (TDMC) control plane and data plane function correctly within a Kubernetes environment, you need to configure the appropriate Role-Based Access Control (RBAC) permissions.
Below is a list of the required Kubernetes account permissions that TDMC needs to support RBAC on its control planes and data planes.
Control Plane Permissions
Configuring TDMC control plane permissions differs between vSphere Kubernetes Service (VKS; formerly TKGS) and non-VKS environments such as on Tanzu Kubernetes Grid multi-cloud (TKGm), Tanzu Kubernetes Grid Integrated Edition (TKGI), OpenShift, AWS, Azure, and GCP.
vSphere Kubernetes Service Control Plane Permissions
To support RBAC on TDMC control planes on vSphere Kubernetes Service, you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
-
VKS:
- Set Read-Only permissions on the
Namespaceresource pool - Set Can Edit permission on vSphere Namespace where the control plane will be deployed.
- This role allows the user to operate as Kubernetes cluster-admin.
- For more information, see Configure vSphere Namespace Permissions for vCenter Single Sign-On Users and Groups or Configure vSphere Namespace Permissions for External Identity Provider Users and Groups in the vSphere documentation.
- Set Read-Only permissions on the
-
non-VKS: For fine-grained permissions, create custom role objects directly on the control plane Kubernetes cluster as described in Non-VKS Control Plane Permissions below.
Non-VKS Control Plane Permissions
TDMC control planes on non-VKS environments require the following permissions on vSphere objects in the Kubernetes cluster:
ClusterRole and ClusterRoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdmc-cp-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- bitnami.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdmc-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdmc-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user>
Role and RoleBinding objects:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-cp
name: tdmc-cp-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mds-infra
name: tdmc-infra-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- deletecollection
- patch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- velero.io
resources:
- backuprepositories
- backups
- backupstoragelocations
- deletebackuprequests
- podvolumebackups
- podvolumerestores
- schedules
- restores
- volumesnapshotlocations
- serverstatusrequests
- datadownloads
- datauploads
- downloadrequests
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdmc-infra-update-dns-zone-role
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- update
- patch
- delete
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: tdmc-infra-update-dns-zone-deploy-role
rules:
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- get
- list
- update
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdmccp:tdmc-engg:user:vsphere.local:tdmc
namespace: mds-cp
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdmc-cp-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdmcinfra:tdmc-engg:user:vsphere.local:tdmc
namespace: mds-infra
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdmc-infra-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdmcdnszone:tdmc-engg:user:vsphere.local:tdmc
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdmc-infra-update-dns-zone-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdmcdnszonedeploy:tdmc-engg:user:vsphere.local:tdmc
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: tdmc-infra-update-dns-zone-deploy-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: tdmcdnszone:tdmc-engg:user:vsphere.local:tdmc
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdmc-cp-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
---
Data Plane Permissions
Configuring TDMC data plane permissions differs between VKS and non-VKS environments.
VKS Data Plane Permissions
To support RBAC on TDMC data planes on VKS (formerly TKGS), you can configure permissions on vSphere objects and Kubernetes cluster in two ways:
- Set “Can Edit” permission on vSphere Namespace where data-plane shall be deployed.
- This role allows the user to operate as Kubernetes cluster-admin.
- For more information, see Configure vSphere Namespace Permissions for vCenter Single Sign-On Users and Groups or Configure vSphere Namespace Permissions for External Identity Provider Users and Groups in the vSphere documentation.
- For finer-grained control, create the following
ClusterRoleobject on the Supervisor cluster, and on the target data plane cluster createClusterRoleandClusterRoleBindingobjects as described in Object-Based Data Plane Permissions below:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdmc-dp-sup-cluster-role
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch", "update", "create","delete"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: wcp:devops:cluster-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdmc-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
Object-Based Data Plane Permissions
TDMC data planes on non-VKS environments require the following permissions on vSphere ClusterRole and ClusterRoleBinding objects in the Kubernetes cluster:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tdmc-dp-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
- pods/exec
- configmaps
- secrets
- services
- serviceaccounts
- events
- persistentvolumeclaims
- bindings
- resourcequotas
verbs:
- get
- list
- watch
- create
- update
- delete
- patch
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- watch
- list
- create
- patch
- delete
- update
- deletecollection
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- create
- delete
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- update
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- patch
- apiGroups:
- sql.tanzu.vmware.com
- traefik.io
- cert-manager.io
- rabbitmq.com
- rbac.authorization.k8s.io
- admissionregistration.k8s.io
- networking.k8s.io
- with.sql.tanzu.vmware.com
- velero.io
- externaldns.k8s.io
- monitoring.coreos.com
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: tdmc-cluster-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tdmc-dp-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <user e.g. sso:tdmc@vsphere.local>
Content feedback and comments