# vSphere Permission Requirements for CAPV The vSphere user account leveraged for CAPV must have approprate vSphere permissions. vCenter's Administrator role provides super-user access to all vSphere objects, however use of this role may be discouraged in your environment. We'll work over providing a base set of permissions and then removing what's neeeded in the two specific vSphere based roles: 1) Template management role 2) "Service Account" type role for CAPV 3) "Addon based" role for components enabled by CAPV Alternatively, you can choose to create a custom role with the minimum set of privileges to allow use of CAPV as detailed below: ## User requirements to allow upload of OVA/OVF (TODO: VERIFY THIS SECTION) https://kb.vmware.com/s/article/2105932 Initially we'll create an administrator account and then test with the following permission set: - Datastore > Allocate space - Network > Assign network - Virtual machine > Configuration > Add new disk - Virtual machine > Configuration > Advanced - vApp > Import ## User requirements to allow for CAPV Controllers to work in a vSphere environment: ### Add the VMware CSI Cloud Native Storage Capabilities Perms (we install this) - https://docs.vmware.com/en/VMware-vSphere/6.7/vsphere-673-cloud-native-storage.pdf - More concretely: https://docs.vmware.com/en/VMware-vSphere/6.7/Cloud-Native-Storage/GUID-AEB07597-F303-4FDD-87D9-0FDA4836E5BB.html ### Create Virtual Machine Permissions Destination folder or Datacenter: - Virtual machine.Configuration.Add new disk (if creating a new virtual disk) - Virtual machine.Configuration.Add existing disk (if using an existing virtual disk) - Virtual machine.Configuration.Configure Raw device (if using an RDM or SCSI pass-through device) On the destination host, cluster, or resource pool: - Resource.Assign virtual machine to resource pool On the destination datastore or the folder that contains the datastore: - Datastore.Allocate space On the network that the virtual machine will be assigned to: - Network.Assign network ### Power Management on virtual machines On the data center in which the virtual machine is deployed: - Virtual machine .Interaction .Power On On the virtual machine or folder of virtual machines: - Virtual machine .Interaction .Power On ### Deploy a virtual machine from template On the destination folder or data center: - Virtual machine .Inventory.Create from existing - Virtual machine.Configuration.Add new disk On a template or folder of templates: - Virtual machine .Provisioning.Deploy template On the destination host, cluster or resource pool: - Resource.Assign virtual machine to resource pool On the destination datastore or folder of datastores: - Datastore.Allocate space On the network that the virtual machine will be assigned to: - Network.Assign network ## Google GKE Recommendations (TODO: COMB THROUGH THESE) Resource: - Assign (required to move ) Datastore: - Allocate space - Browse datastore - Low level file operations - Remove file - Update virtual machine files - Update virtual machine metadata Datastore - Allocate space - Browse datastore - Low level file operations - Remove file - Update virtual machine files - Update virtual machine metadata Folder - Create folder - Delete folder - Move folder - Rename folder vSphere Tagging - Create vSphere Tag Root vCenter Server - Validate session Network - Assign network Resource - Apply recommendation - Assign virtual machine to resource pool Storage views - View Tasks - Create task - Update task vApp - Import - vApp application configuration - vApp instance configuration Virtual machines - Configuration - Add existing disk - Add new disk - Add or remove device - Advanced - Change CPU count - Change resource - Configure managedBy - Disk change tracking - Disk lease - Display connection settings - Extend virtual disk - Host USB device - Memory - Modify device settings - Query Fault Tolerance compatibility - Query unowned files - Raw device - Reload from path - Remove disk - Rename - Reset guest information - Set annotation - Settings - Swapfile placement - Toggle fork parent - Unlock virtual machine - Upgrade virtual machine compatibility Guest operations - Guest operation alias modification - Guest operation alias query - Guest operation modifications - Guest operation program execution - Guest operation queries (RATIONALIZE WITH cloud-init + colone)Interaction - Answer question - Backup operation on virtual machine - Configure CD media - Configure floppy media - Console interaction - Create screenshot - Defragment all disks - Device connection - Drag and drop - Guest operating system management by VIX API - Inject USB HID scan codes - Pause or Unpause - Perform wipe or shrink operations - Power off - Power on - Record session on virtual machine - Replay session on virtual machine - Reset - Resume Fault Tolerance - Suspend - Suspend Fault Tolerance - Test failover - Test restart Secondary VM - Turn off Fault Tolerance - Turn on Fault Tolerance - VMware Tools install Inventory - Create from existing - Create new - Move - Register - Remove - Unregister Provisioning - Allow disk access - Allow file access - Allow read-only disk access - Allow virtual machine download - Allow virtual machine files upload - Clone template - Clone virtual machine - Create template from virtual machine - Customize - Deploy template - Mark as template - Mark as virtual machine - Modify customization specification - Promote disks - Read customization specifications Service configuration - Allow notifications - Allow polling of global event notifications - Manage service configurations - Modify service configuration - Query service configurations - Read service configuration (LIKELY NOT NEEDED)Snapshot management - Create snapshot - Remove snapshot - Rename snapshot - Revert to snapshot (NOT NEEDED) vSphere Replication - Configure replication - Manage replication - Monitor replication ## Creating the CAPV Role in vCenter A role can be created in your vCenter by using the [govc utility](https://github.com/vmware/govmomi/tree/master/govc):