When provisioning Kubernetes clusters with the DKP vSphere provider, there is list of permissions that should be set so that the provider be able to create/modify/delete resources (clone templates, VMs, disks, attach network, etc). A list of the minimum required permissions is available in our documentation and listed below.
In small vSphere environments, with just a few hosts, assigning the role/user at the top level and propagating to child resources could be appropriate, but in the majority of cases this is not possible as security teams will enforce strict restrictions of who should have access to specific resources.
In the table below we describe the level at which these permissions should get assigned to.
Level | Required | Propagate to Child |
vCenter Server (Top Level) | No | No |
Data Center | Yes | No |
Resource Pool | Yes | No |
Folder | Yes | Yes |
Template | Yes | No |