Minimal set of vSphere roles privileges

Minimal set of vSphere roles/privileges required for kublr infrastructure provisioning

Roles Privileges Entities Propagate to Children
kublr-manage-vms Virtual machine
  • Change Configuration
    • Add existing disk
    • Add new disk
    • Add or remove device
    • Advanced Configuration
    • Change CPU count Change Memory Change Settings Change resource Modify device settings Remove disk Rename
  • Edit Inventory
    • Create from existing
    • Create new
    • Remove
  • Interaction
    • Configure CD media
    • Power off
    • Power on
  • Provisioning
    • Deploy template
VM Folder Yes
manage-k8s-volumes Datastore
  • Allocate space
  • Browse datastore
  • Low level file operations
  • Remove file
  • Update virtual machine files
  • Update virtual machine metadata
Datastore No
kublr-manage-vcenter Folder
  • Create folder
  • Delete folder
vApp
  • vApp application configuration
  • vApp instance configuration
Network
  • Assign network
Resource
  • Apply recommendation
  • Assign virtual machine to resource pool
vCenter, Cluster, Hosts, VM Folder No
Read-only (pre-existing default role) System
  • Anonymous
  • Read
  • View
vCenter, Datacenter, Datastore Cluster, Datastore Storage Folder No

Questions? Suggestions? Need help? Contact us.