Skip to main content

VMware System and Permission Requirements

Before installing Palette on VMware, review the following system requirements and permissions. The vSphere user account used to deploy Palette must have the required permissions to access the proper roles and objects in vSphere.

Start by reviewing the required action items below:

  1. Create the two custom vSphere roles. Check out the Create Required Roles section to create the required roles in vSphere.

  2. Review the vSphere Permissions section to ensure the created roles have the required vSphere privileges and permissions.

  3. Create node zones and regions for your Kubernetes clusters. Refer to the Zone Tagging section to ensure that the required tags are created in vSphere to ensure proper resource allocation across fault domains.

info

The permissions listed in this page are also needed for deploying a Private Cloud Gateway (PCG) and workload cluster in vSphere through Palette.

Create Required Roles

Palette requires two custom roles to be created in vSphere before the installation. Refer to the Create a Custom Role guide if you need help creating a custom role in vSphere. The required custom roles are:

  • A root-level role with access to higher-level vSphere objects. This role is referred to as the spectro root role. Check out the Root-Level Role Privileges table for the list of privileges required for the root-level role.

  • A role with the required privileges for deploying VMs. This role is referred to as the Spectro role. Review the Spectro Role Privileges table for the list of privileges required for the Spectro role.

The user account you use to deploy Palette must have access to both roles. Each vSphere object required by Palette must have a Permission entry for the respective Spectro role. The following tables list the privileges required for the each custom role.

info

For an in-depth explanation of vSphere authorization and permissions, check out the Understanding Authorization in vSphere resource.

vSphere Permissions

The vSphere user account that deploys Palette require access to the following vSphere objects and permissions listed in the following table. Review the vSphere objects and privileges required to ensure each role is assigned the required privileges.

Spectro Root Role Privileges

The spectro root role privileges are only applied to root objects and data center objects. Select the tab for the vSphere version you are using to view the required privileges for the spectro root role.

vSphere ObjectPrivilege
CNSSearchable
DatastoreBrowse datastore
HostConfiguration
Storage partition configuration
vSphere TaggingCreate and edit vSphere tags
NetworkAssign network
SessionsValidate session
VM Storage PoliciesView VM storage policies
Storage viewsView
caution

If the network is a Distributed Port Group under a vSphere Distributed Switch (VDS), ReadOnly access to the VDS without “Propagate to children” is required.

Spectro Role Privileges

As listed in the table, apply spectro role privileges to vSphere objects you intend to use for Palette installation. A separate table lists Spectro role privileges for VMs by category.

During the installation, images and Open Virtual Appliance (OVA) files are downloaded to the folder you selected. These images are cloned from the folder and applied VMs that deployed during the installation.

Select the tab for the vSphere version you are using to view the required privileges for the spectro role.

vSphere ObjectPrivileges
CNSSearchable
DatastoreAllocate space
Browse datastore
Low-level file operations
Remove file
Update VM files
Update VM metadata
FolderCreate Folder
Delete folder
Move folder
Rename folder
HostLocal operations: Reconfigure VM
NetworkAssign network
ResourceApply recommendation
Assign VM to resource pool
Migrate powered off VM
Migrate powered on VM
Query vMotion
SessionsValidate sessions
Storage policiesView access for VM storage policies is required.
Ensure StorageProfile.View is available.
spectro-templatesRead only. This is the vSphere folder created during the install. For airgap installs, you must manually create this folder.
Storage viewsView
TasksCreate task
Update task
vAppImport
View OVF environment
Configure vAPP application
Configure vApp instance
vSphere taggingAssign or Unassign vSphere Tag
Create vSphere Tag
Delete vSphere Tag
Edit vSphere Tag

The following table lists spectro role privileges for VMs by category. All privileges are for the vSphere object, Virtual Machines.

CategoryPrivileges
Change ConfigurationAcquire disk lease
Add existing disk
Add new disk
Add or remove device
Advanced configuration
Change CPU count
Change memory
Change settings
Change swapfile placement
Change resource
Change host USB device
Configure raw device
Configure managedBy
Display connection settings
Extend virtual disk
Modify device settings
Query fault tolerance compatibity
Query unowned files
Reload from path
Remove disk
Rename
Reset guest information
Set annotation
Toggle disk change tracking
Toggle fork parent
Upgrade VM compatibility
Edit InventoryCreate from existing
Create new
Move
Register
Remove
Unregister
Guest OperationsAlias modification
Alias query
Modify guest operations
Invoke programs
Queries
InteractionConsole Interaction
Power on/off
ProvisioningAllow disk access
Allow file access
Allow read-only disk access
Allow VM download
Allow VM files upload
Clone template
Clone VM
Create template from VM
Customize guest
Deploy template
Mark as template
Mark as VM
Modify customization specification
Promote disks
Read customization specifications
Service ConfigurationAllow notifications
Allow polling of global event notifications
Manage service configurations
Modify service configurations
Query service configurations
Read service configurations
Snapshot ManagementCreate snapshot
Remove snapshot
Rename snapshot
Revert to snapshot
Sphere ReplicationConfigure replication
Manage replication
Monitor replication
vSANCluster: ShallowRekey

Zone Tagging

You can use tags to create node zones and regions for your Kubernetes clusters. The node zones and regions can be used to dynamically place Kubernetes workloads and achieve higher availability. Kubernetes nodes inherit the zone and region tags as Labels. Kubernetes workloads can use the node labels to ensure that the workloads are deployed to the correct zone and region.

The following is an example of node labels that are discovered and inherited from vSphere tags. The tag values are applied to Kubernetes nodes in vSphere.

  topology.kubernetes.io/region=usdc
topology.kubernetes.io/zone=zone3
failure-domain.beta.kubernetes.io/region=usdc
failure-domain.beta.kubernetes.io/zone=zone3
info

To learn more about node zones and regions, refer to the Node Zones/Regions Topology section of the Cloud Provider Interface documentation.

Zone tagging is required to install Palette and is helpful for Kubernetes workloads deployed in vSphere clusters through Palette if they have persistent storage needs. Use vSphere tags on data centers and compute clusters to create distinct zones in your environment. You can use vSphere Tag Categories and Tags to create zones in your vSphere environment and assign them to vSphere objects.

The zone tags you assign to your vSphere objects, such as a datacenter and clusters are applied to the Kubernetes nodes you deploy through Palette into your vSphere environment. Kubernetes clusters deployed to other infrastructure providers, such as public cloud may have other native mechanisms for auto discovery of zones.

For example, assume a vCenter environment contains three compute clusters, cluster-1, cluster-2, and cluster-3. To support this environment you create the tag categories k8s-region and k8s-zone. The k8s-region is assigned to the datacenter, and the k8s-zone tag is assigned to the compute clusters.

The following table lists the tag values for the data center and compute clusters.

vSphere ObjectAssigned NameTag CategoryTag Value
Datacenterdc-1k8s-regionregion1
Clustercluster-1k8s-zoneaz1
Clustercluster-2k8s-zoneaz2
Clustercluster-3k8s-zoneaz3

Create a tag category and tag values for each datacenter and cluster in your environment. Use the tag categories to create zones. Use a name that is meaningful and that complies with the tag requirements listed in the following section.

Tag Requirements

The following requirements apply to tags:

  • A valid tag must consist of alphanumeric characters.
  • The tag must start and end with an alphanumeric characters.
  • The regex used for tag validation is (([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?