Minimal set of vSphere roles & privileges

The minimal set of vSphere roles &privileges required for Kublr infrastructure provisioning

Roles Privileges Entities Propagate to Children
kublr-manage-vms Virtual machine
  • Change Configuration
    • Add existing disk
    • Add new disk
    • Extend virtual disk
    • Add or remove device
    • Advanced Configuration
    • Change CPU count
    • Change Memory
    • Change Settings
    • Change resource
    • Modify device settings
    • Remove disk
    • Rename
  • Edit Inventory
    • Create from existing
    • Create new
    • Remove
  • Interaction
    • Configure CD media
    • Power off
    • Power on
  • Provisioning
    • Deploy template
VM Folder Yes
manage-k8s-volumes Datastore
  • Allocate space
  • Browse datastore
  • Low level file operations
  • Remove file
  • Update virtual machine files
  • Update virtual machine metadata
Datastore No
kublr-manage-vcenter Folder
  • Create folder
  • Delete folder
vApp
  • vApp application configuration
  • vApp instance configuration
Network
  • Assign network
Resource
  • Apply recommendation
  • Assign virtual machine to resource pool
vCenter, Cluster, Hosts, VM Folder No
Read-only (pre-existing default role) System
  • Anonymous
  • Read
  • View
vCenter, Datacenter, Datastore Cluster, Datastore Storage Folder No