In order to install an OpenShift cluster to a vCenter, the user provided to the installer needs privileges to read and create the necessary resources. The easiest way to achieve this level of permission and ensure success is to install with a user who has administrative privileges.
If the provided user has admin privileges, no action is required and you can skip to the next step. Otherwise, the rest of this document can be used as a resource to create a user with more fine-grained privileges.
In order to create an OpenShift cluster, a user needs permissions for the following categories: Datastore, Folder, Host, vSphere Tagging, Network, Resource, Profile-driven storage, vApp, and Virtual machine.
Here is an example summary of privileges that could be used to install a cluster:
- Datastore
- Allocate space
- Folder
- Create folder
- Delete folder
- vSphere Tagging
- All privileges
- Network
- Assign network
- Resource
- Assign virtual machine to resource pool
- Profile-driven storage
- All privileges
- vApp
- All privileges
- Virtual machine
- All privileges
It may be possible to further refine the categories where All privileges have been granted.
The following is a visual walkthrough of creating and assigning global roles in the vSphere 6 web client. Roles can be similarly created for specific clusters. For more information, refer to the vSphere docs.
Roles can be created and edited in Administration > Access Control > Roles.
When creating a new role, first assign permissions (using the list above for guidance):
Once you save your role, the new privileges will be visible:
Roles can be assigned in Administration > Access Control > Global Permissions. The newly created role can be assigned to a group or directly to a user.
To assign the newly created role, click the + for Add Permission:
