vSphere Permission Requirements for CAPV

The vSphere user account leveraged for CAPV must have approprate vSphere permissions. vCenter's Administrator role provides super-user access to all vSphere objects, however use of this role may be discouraged in your environment.

We'll work over providing a base set of permissions and then removing what's neeeded in the two specific vSphere based roles:

1. Template management role
2. "Service Account" type role for CAPV
3. "Addon based" role for components enabled by CAPV

Alternatively, you can choose to create a custom role with the minimum set of privileges to allow use of CAPV as detailed below:

User requirements to allow upload of OVA/OVF (TODO: VERIFY THIS SECTION)

https://kb.vmware.com/s/article/2105932

Initially we'll create an administrator account and then test with the following permission set:

• Datastore > Allocate space
• Network > Assign network
• Virtual machine > Configuration > Add new disk
• Virtual machine > Configuration > Advanced
• vApp > Import

User requirements to allow for CAPV Controllers to work in a vSphere environment:

Add the VMware CSI Cloud Native Storage Capabilities Perms (we install this)

• https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-673-cloud-native-storage.pdf

• More concretely: https://docs.vmware.com/en/VMware-vSphere/6.7/Cloud-Native-Storage/GUID-AEB07597-F303-4FDD-87D9-0FDA4836E5BB.html

Create Virtual Machine Permissions

Destination folder or Datacenter:

• Virtual machine.Configuration.Add new disk (if creating a new virtual disk)
• Virtual machine.Configuration.Add existing disk (if using an existing virtual disk)
• Virtual machine.Configuration.Configure Raw device (if using an RDM or SCSI pass-through device)

On the destination host, cluster, or resource pool:

• Resource.Assign virtual machine to resource pool

On the destination datastore or the folder that contains the datastore:

• Datastore.Allocate space

On the network that the virtual machine will be assigned to:

• Network.Assign network

Power Management on virtual machines

On the data center in which the virtual machine is deployed:

• Virtual machine .Interaction .Power On

On the virtual machine or folder of virtual machines:

• Virtual machine .Interaction .Power On

Deploy a virtual machine from template

On the destination folder or data center:

• Virtual machine .Inventory.Create from existing
• Virtual machine.Configuration.Add new disk

On a template or folder of templates:

• Virtual machine .Provisioning.Deploy template

On the destination host, cluster or resource pool:

• Resource.Assign virtual machine to resource pool

On the destination datastore or folder of datastores:

• Datastore.Allocate space

On the network that the virtual machine will be assigned to:

• Network.Assign network

Google GKE Recommendations (TODO: COMB THROUGH THESE)

Resource:

• Assign (required to move )

Datastore:

• Allocate space
• Browse datastore
• Low level file operations
• Remove file
• Update virtual machine files
• Update virtual machine metadata

Datastore

• Allocate space
• Browse datastore
• Low level file operations
• Remove file
• Update virtual machine files
• Update virtual machine metadata

Folder

• Create folder
• Delete folder
• Move folder
• Rename folder

vSphere Tagging

• Create vSphere Tag

Root vCenter Server

• Validate session

Network

• Assign network

Resource

• Apply recommendation
• Assign virtual machine to resource pool

Storage views

• View

Tasks

• Create task
• Update task

vApp

• Import
• vApp application configuration
• vApp instance configuration

Virtual machines

• Configuration
• Add existing disk
• Add new disk
• Add or remove device
• Advanced
• Change CPU count
• Change resource
• Configure managedBy
• Disk change tracking
• Disk lease
• Display connection settings
• Extend virtual disk
• Host USB device
• Memory
• Modify device settings
• Query Fault Tolerance compatibility
• Query unowned files
• Raw device
• Reload from path
• Remove disk
• Rename
• Reset guest information
• Set annotation
• Settings
• Swapfile placement
• Toggle fork parent
• Unlock virtual machine
• Upgrade virtual machine compatibility

Guest operations

• Guest operation alias modification
• Guest operation alias query
• Guest operation modifications
• Guest operation program execution
• Guest operation queries

(RATIONALIZE WITH cloud-init + colone)Interaction

• Answer question
• Backup operation on virtual machine
• Configure CD media
• Configure floppy media
• Console interaction
• Create screenshot
• Defragment all disks
• Device connection
• Drag and drop
• Guest operating system management by VIX API
• Inject USB HID scan codes
• Pause or Unpause
• Perform wipe or shrink operations
• Power off
• Power on
• Record session on virtual machine
• Replay session on virtual machine
• Reset
• Resume Fault Tolerance
• Suspend
• Suspend Fault Tolerance
• Test failover
• Test restart Secondary VM
• Turn off Fault Tolerance
• Turn on Fault Tolerance
• VMware Tools install

Inventory

• Create from existing
• Create new
• Move
• Register
• Remove
• Unregister

Provisioning

• Allow disk access
• Allow file access
• Allow read-only disk access
• Allow virtual machine download
• Allow virtual machine files upload
• Clone template
• Clone virtual machine
• Create template from virtual machine
• Customize
• Deploy template
• Mark as template
• Mark as virtual machine
• Modify customization specification
• Promote disks
• Read customization specifications

Service configuration

• Allow notifications
• Allow polling of global event notifications
• Manage service configurations
• Modify service configuration
• Query service configurations
• Read service configuration

(LIKELY NOT NEEDED)Snapshot management

• Create snapshot
• Remove snapshot
• Rename snapshot
• Revert to snapshot

(NOT NEEDED) vSphere Replication

• Configure replication
• Manage replication
• Monitor replication

Creating the CAPV Role in vCenter

A role can be created in your vCenter by using the govc utility: