Developers are the target users of Kubernetes. Once a TKG cluster is provisioned, you can grant developer access using vCenter Single Sign-On authentication.

Authentication for Developers

A cluster administrator can grant cluster access to other users, such as developers. Developers can deploy pods to clusters directly using their user accounts, or indirectly using service accounts. For more information, see Grant Developers SSO Access to Workload Clusters in Using TKG Service with vSphere IaaS Control Plane.
  • For user account authentication, TKG clusters support vCenter Single Sign-On users and groups. The user or group can be local to the vCenter Server, or synchronized from a supported directory server.
  • For service account authentication, you can use service tokens. For more information, see the Kubernetes documentation.

Adding Developer Users to a Cluster

To grant cluster access to developers:
  1. Define a Role or ClusterRole for the user or group and apply it to the cluster. For more information, see the Kubernetes documentation.
  2. Create a RoleBinding or ClusterRoleBinding for the user or group and apply it to the cluster. See the following example.

Example RoleBinding

To grant access to a vCenter Single Sign-On user or group, the subject in the RoleBinding must contain either of the following values for the name parameter.
Table 1. Supported User and Group Fields
Field Description
sso:USER-NAME@DOMAIN For example, a local user name, such as sso:joe@vsphere.local.
sso:GROUP-NAME@DOMAIN For example, a group name from a directory server integrated with the vCenter Server, such as sso:devs@ldap.example.com.

The following example RoleBinding binds the vCenter Single Sign-On local user named Joe to the default ClusterRole named edit. This role permits read/write access to most objects in a namespace, in this case the default namespace.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: rolebinding-cluster-user-joe
  namespace: default
roleRef:
  kind: ClusterRole
  name: edit                             #Default ClusterRole
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: sso:joe@vsphere.local            #sso:<username>@<domain>
  apiGroup: rbac.authorization.k8s.io