Minimal Set of vSphere Roles & Privileges

The minimal set of vSphere roles &privileges required for Kublr infrastructure provisioning

RolesPrivilegesEntitiesPropagate to Children
kublr-manage-vmsVirtual machine
  • Change Configuration
    • Add existing disk
    • Add new disk
    • Extend virtual disk
    • Add or remove device
    • Advanced Configuration
    • Change CPU count
    • Change Memory
    • Change Settings
    • Change resource
    • Modify device settings
    • Remove disk
    • Rename
  • Edit Inventory
    • Create from existing
    • Create new
    • Remove
  • Guest operations
    • Guest operation modification
    • Guest operation program execution
  • Interaction
    • Configure CD media
    • Power off
    • Power on
  • Provisioning
    • Allow virtual machine files upload
    • Customize guest
    • Deploy template
    • Modify customization specification
VM FolderYes
manage-k8s-volumesDatastore
  • Allocate space
  • Browse datastore
  • Low level file operations
  • Remove file
  • Update virtual machine files
  • Update virtual machine metadata
DatastoreNo
kublr-manage-vcenterFolder
  • Create folder
  • Delete folder
vApp
  • vApp application configuration
  • vApp instance configuration
Network
  • Assign network
Resource
  • Apply recommendation
  • Assign virtual machine to resource pool
vCenter, Cluster, Hosts, VM FolderNo
Read-only (pre-existing default role)System
  • Anonymous
  • Read
  • View
vCenter, Datacenter, Datastore Cluster, Datastore Storage FolderNo