VMware System and Permission Requirements
Before installing Palette on VMware, review the following system requirements and permissions. The vSphere user account used to deploy Palette must have the required permissions to access the proper roles and objects in vSphere.
Start by reviewing the required action items below:
-
Create the two custom vSphere roles. Check out the Create Required Roles section to create the required roles in vSphere.
-
Review the vSphere Permissions section to ensure the created roles have the required vSphere privileges and permissions.
-
Create node zones and regions for your Kubernetes clusters. Refer to the Zone Tagging section to ensure that the required tags are created in vSphere to ensure proper resource allocation across fault domains.
The permissions listed in this page are also needed for deploying a Private Cloud Gateway (PCG) and workload cluster in vSphere through Palette.
Create Required Roles
Palette requires two custom roles to be created in vSphere before the installation. Refer to the Create a Custom Role guide if you need help creating a custom role in vSphere. The required custom roles are:
-
A root-level role with access to higher-level vSphere objects. This role is referred to as the Spectro root role. Check out the Root-Level Role Privileges table for the list of privileges required for the root-level role.
-
A role with the required privileges for deploying VMs. This role is referred to as the Spectro role. Review the Spectro Role Privileges table for the list of privileges required for the Spectro role.
The user account you use to deploy Palette must have access to both roles. Each vSphere object required by Palette must have a Permission entry for the respective Spectro role. The following tables list the privileges required for the each custom role.
For an in-depth explanation of vSphere authorization and permissions, check out the Understanding Authorization in vSphere resource.
vSphere Permissions
The VMware vSphere user account that deploys host clusters or private cloud gateways requires all the vSphere privileges listed in the following sections for specific vSphere objects.
Spectro Root Role Privileges
A Spectro root role must be created that contains each privilege in the following table.
Select the tab for the vSphere version you are using to view the required privileges.
The System.* privileges are added to all custom vSphere roles by default.
- 8.0.x
- 7.0.x
- 6.7U3
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Browse datastore |
| Host | Configuration: Storage partition configuration |
| Network | Assign network |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| VM Storage Policies | View VM storage policies |
| vSphere Tagging | Create vSphere Tag Edit vSphere Tag |
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Browse datastore |
| Host | Configuration: Storage partition configuration |
| Network | Assign network |
| Profile-driven Storage | View |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| vSphere Tagging | Create vSphere Tag Edit vSphere Tag |
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Browse datastore |
| Host | Configuration: Storage partition configuration |
| Network | Assign network |
| Profile-driven Storage | View |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| vSphere Tagging | Create vSphere Tag Edit vSphere Tag |
Click here to view the latest vSphere version's raw API permission
Cns.SearchableDatastore.BrowseHost.Config.StorageInventoryService.Tagging.CreateTagInventoryService.Tagging.EditTagNetwork.AssignSessions.ValidateSessionStorageProfile.ViewStorageViews.ViewSystem.AnonymousSystem.ReadSystem.View
Spectro Root Role Assignments
The privileges associated with the Spectro root role must be granted via role assignments on specific vSphere objects for either the user or a group containing the user. Review the required role assignments to ensure that your user has all required privileges on all required objects.
Propegation refers to the inheritance of permissions from a parent vSphere object to a child object. If a permission is propagated to a child object, the child object inherits the permission from the parent object.
| vSphere Object | Propagation | Role | Condition |
|---|---|---|---|
| vCenter Root | No | Spectro root role | |
| Target Datacenter | No | Spectro root role | |
| Target Cluster | No | Spectro root role | |
| Distributed Switch | No | Spectro root role | If the Target Network is a Distributed Port Group |
Spectro Role Privileges
A Spectro role must be created that contains each privilege in the following table.
Select the tab for the vSphere version you are using to view the required privileges.
- 8.0.x
- 7.0.x
- 6.7U3
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Allocate space Browse datastore Low level file operations Remove file Update virtual machine files Update virtual machine metadata |
| Folder | Create folder Delete folder Move folder Rename folder |
| Host Local Operations | Reconfigure virtual machine |
| Network | Assign network |
| Resource | Apply recommendation Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine Query vMotion |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| Tasks | Create task Update task |
| vApp | Import View OVF environment vApp application configuration vApp instance configuration |
| VM Storage Policies | View VM storage policies |
| vSAN | Cluster: ShallowRekey |
| vSphere Tagging | Assign or Unassign vSphere Tag Create vSphere Tag Delete vSphere Tag Edit vSphere Tag |
The following table lists Spectro role privileges for VMs by category. All privileges are for the vSphere object, Virtual Machines.
| Category | Privileges |
|---|---|
| Change Configuration | Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility |
| Edit Inventory | Create from existing Create new Move Register Remove Unregister |
| Guest Operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Interaction | Console interaction Power on Power off |
| Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Service Configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Snapshot Management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| vSphere Replication | Configure replication Manage replication Monitor replication |
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Allocate space Browse datastore Low level file operations Remove file Update virtual machine files Update virtual machine metadata |
| Folder | Create Folder Delete folder Move folder Rename folder |
| Host Local Operations | Reconfigure virtual machine |
| Network | Assign network |
| Resource | Apply recommendation Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine Query vMotion |
| Profile-driven Storage | View |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| Tasks | Create task Update task |
| vApp | Import View OVF environment vApp application configuration vApp instance configuration |
| vSAN | Cluster: ShallowRekey |
| vSphere Tagging | Assign or Unassign vSphere Tag Create vSphere Tag Delete vSphere Tag Edit vSphere Tag |
The following table lists Spectro role privileges for VMs by category. All privileges are for the vSphere object, Virtual Machines.
| Category | Privileges |
|---|---|
| Change Configuration | Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility |
| Edit Inventory | Create from existing Create new Move Register Remove Unregister |
| Guest Operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Interaction | Console interaction Power on Power off |
| Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Service Configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Snapshot Management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| vSphere Replication | Configure replication Manage replication Monitor replication |
| Category | Privileges |
|---|---|
| CNS | Searchable |
| Datastore | Allocate space Browse datastore Low level file operations Remove file Update virtual machine files Update virtual machine metadata |
| Folder | Create Folder Delete folder Move folder Rename folder |
| Host Local Operations | Reconfigure virtual machine |
| Network | Assign network |
| Resource | Apply recommendation Assign virtual machine to resource pool Migrate powered off virtual machine Migrate powered on virtual machine Query vMotion |
| Profile-driven Storage | View |
| Sessions | Validate session |
| Storage Views | View |
| System | Anonymous Read View |
| Tasks | Create task Update task |
| vApp | Import View OVF environment vApp application configuration vApp instance configuration |
| vSphere Tagging | Assign or Unassign vSphere Tag Create vSphere Tag Delete vSphere Tag Edit vSphere Tag |
The following table lists Spectro role privileges for VMs by category. All privileges are for the vSphere object, Virtual Machines.
| Category | Privileges |
|---|---|
| Change Configuration | Acquire disk lease Add existing disk Add new disk Add or remove device Advanced configuration Change CPU count Change memory Change settings Change swapfile placement Change resource Configure host USB device Configure raw device Configure managedBy Display connection settings Extend virtual disk Modify device settings Query fault tolerance compatibility Query unowned files Reload from path Remove disk Rename Reset guest information Set annotation Toggle disk change tracking Toggle fork parent Upgrade virtual machine compatibility |
| Edit Inventory | Create from existing Create new Move Register Remove Unregister |
| Guest Operations | Guest operation alias modification Guest operation alias query Guest operation modifications Guest operation program execution Guest operation queries |
| Interaction | Console interaction Power on Power off |
| Provisioning | Allow disk access Allow file access Allow read-only disk access Allow virtual machine download Allow virtual machine files upload Clone template Clone virtual machine Create template from virtual machine Customize guest Deploy template Mark as template Mark as virtual machine Modify customization specification Promote disks Read customization specifications |
| Service Configuration | Allow notifications Allow polling of global event notifications Manage service configurations Modify service configuration Query service configurations Read service configuration |
| Snapshot Management | Create snapshot Remove snapshot Rename snapshot Revert to snapshot |
| vSphere Replication | Configure replication Manage replication Monitor replication |
Click here to view the latest vSphere version's raw API permission
Cns.SearchableDatastore.AllocateSpaceDatastore.BrowseDatastore.DeleteFileDatastore.FileManagementDatastore.UpdateVirtualMachineFilesDatastore.UpdateVirtualMachineMetadataFolder.CreateFolder.DeleteFolder.MoveFolder.RenameHost.Local.ReconfigVMInventoryService.Tagging.AttachTagInventoryService.Tagging.CreateTagInventoryService.Tagging.DeleteTagInventoryService.Tagging.EditTagNetwork.AssignResource.ApplyRecommendationResource.AssignVMToPoolResource.ColdMigrateResource.HotMigrateResource.QueryVMotionSessions.ValidateSessionStorageProfile.ViewStorageViews.ViewSystem.AnonymousSystem.ReadSystem.ViewTask.CreateTask.UpdateVApp.ApplicationConfigVApp.ExtractOvfEnvironmentVApp.ImportVApp.InstanceConfigVirtualMachine.Config.AddExistingDiskVirtualMachine.Config.AddNewDiskVirtualMachine.Config.AddRemoveDeviceVirtualMachine.Config.AdvancedConfigVirtualMachine.Config.AnnotationVirtualMachine.Config.CPUCountVirtualMachine.Config.ChangeTrackingVirtualMachine.Config.DiskExtendVirtualMachine.Config.DiskLeaseVirtualMachine.Config.EditDeviceVirtualMachine.Config.HostUSBDeviceVirtualMachine.Config.ManagedByVirtualMachine.Config.MemoryVirtualMachine.Config.MksControlVirtualMachine.Config.QueryFTCompatibilityVirtualMachine.Config.QueryUnownedFilesVirtualMachine.Config.RawDeviceVirtualMachine.Config.ReloadFromPathVirtualMachine.Config.RemoveDiskVirtualMachine.Config.RenameVirtualMachine.Config.ResetGuestInfoVirtualMachine.Config.ResourceVirtualMachine.Config.SettingsVirtualMachine.Config.SwapPlacementVirtualMachine.Config.ToggleForkParentVirtualMachine.Config.UpgradeVirtualHardwareVirtualMachine.GuestOperations.ExecuteVirtualMachine.GuestOperations.ModifyVirtualMachine.GuestOperations.ModifyAliasesVirtualMachine.GuestOperations.QueryVirtualMachine.GuestOperations.QueryAliasesVirtualMachine.Hbr.ConfigureReplicationVirtualMachine.Hbr.MonitorReplicationVirtualMachine.Hbr.ReplicaManagementVirtualMachine.Interact.ConsoleInteractVirtualMachine.Interact.PowerOffVirtualMachine.Interact.PowerOnVirtualMachine.Inventory.CreateVirtualMachine.Inventory.CreateFromExistingVirtualMachine.Inventory.DeleteVirtualMachine.Inventory.MoveVirtualMachine.Inventory.RegisterVirtualMachine.Inventory.UnregisterVirtualMachine.Namespace.EventVirtualMachine.Namespace.EventNotifyVirtualMachine.Namespace.ManagementVirtualMachine.Namespace.ModifyContentVirtualMachine.Namespace.QueryVirtualMachine.Namespace.ReadContentVirtualMachine.Provisioning.CloneVirtualMachine.Provisioning.CloneTemplateVirtualMachine.Provisioning.CreateTemplateFromVMVirtualMachine.Provisioning.CustomizeVirtualMachine.Provisioning.DeployTemplateVirtualMachine.Provisioning.DiskRandomAccessVirtualMachine.Provisioning.DiskRandomReadVirtualMachine.Provisioning.FileRandomAccessVirtualMachine.Provisioning.GetVmFilesVirtualMachine.Provisioning.MarkAsTemplateVirtualMachine.Provisioning.MarkAsVMVirtualMachine.Provisioning.ModifyCustSpecsVirtualMachine.Provisioning.PromoteDisksVirtualMachine.Provisioning.PutVmFilesVirtualMachine.Provisioning.ReadCustSpecsVirtualMachine.State.CreateSnapshotVirtualMachine.State.RemoveSnapshotVirtualMachine.State.RenameSnapshotVirtualMachine.State.RevertToSnapshotVsan.Cluster.ShallowRekey
The System.* privileges are added to all custom vSphere roles by default.
Spectro Role Assignments
The privileges associated with the Spectro role must be granted via role assignments on specific vSphere objects for either the user or a group containing the user. Review the required role assignments to ensure that your user has all required privileges on all required objects.
| vSphere Object | Propagation | Role | Condition |
|---|---|---|---|
| Target Network | Yes | Spectro role | |
| Target Cluster | No | Spectro role | Required if using a cluster's default Resources resource pool. |
| Target Resource Pool | Yes | Spectro role | Required if using a non-default resource pool. |
| All ESXi hosts within the Target Cluster | No | Spectro role | |
| Target Datastore | Yes | Spectro role | |
| spectro-templates Folder | Yes | Spectro role | Must be manually created in advance, assigned permissions, and populated with Spectro Cloud VM Templates. |
| Target VM Folder | Yes | Spectro role | For air-gapped installs, it must be manually created in advance and permissions assigned. For connected installs it is created automatically. |
Zone Tagging
You can use tags to create node zones and regions for your Kubernetes clusters. The node zones and regions can be used to dynamically place Kubernetes workloads and achieve higher availability. Kubernetes nodes inherit the zone and region tags as Labels. Kubernetes workloads can use the node labels to ensure that the workloads are deployed to the correct zone and region.
The following is an example of node labels that are discovered and inherited from vSphere tags. The tag values are applied to Kubernetes nodes in vSphere.
topology.kubernetes.io/region=usdc topology.kubernetes.io/zone=zone3 failure-domain.beta.kubernetes.io/region=usdc
failure-domain.beta.kubernetes.io/zone=zone3
To learn more about node zones and regions, refer to the Node Zones/Regions Topology section of the Cloud Provider Interface documentation.
Zone tagging is required to install Palette and is helpful for Kubernetes workloads deployed in vSphere clusters through Palette if they have persistent storage needs. Use vSphere tags on data centers and compute clusters to create distinct zones in your environment. You can use vSphere Tag Categories and Tags to create zones in your vSphere environment and assign them to vSphere objects.
The zone tags you assign to your vSphere objects, such as a datacenter and clusters are applied to the Kubernetes nodes you deploy through Palette into your vSphere environment. Kubernetes clusters deployed to other infrastructure providers, such as public cloud may have other native mechanisms for auto discovery of zones.
For example, assume a vCenter environment contains three compute clusters, cluster-1, cluster-2, and cluster-3. To
support this environment you create the tag categories k8s-region and k8s-zone. The k8s-region is assigned to the
datacenter, and the k8s-zone tag is assigned to the compute clusters.
The following table lists the tag values for the data center and compute clusters.
| vSphere Object | Assigned Name | Tag Category | Tag Value |
|---|---|---|---|
| Datacenter | dc-1 | k8s-region | region1 |
| Cluster | cluster-1 | k8s-zone | az1 |
| Cluster | cluster-2 | k8s-zone | az2 |
| Cluster | cluster-3 | k8s-zone | az3 |
Create a tag category and tag values for each datacenter and cluster in your environment. Use the tag categories to create zones. Use a name that is meaningful and that complies with the tag requirements listed in the following section.
Tag Requirements
The following requirements apply to tags:
-
A valid tag must consist of alphanumeric characters.
-
The tag must start and end with an alphanumeric characters.
-
The regex used for tag validation is
(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?