What are the minimum privileges required to install OCP 4 IPI in a vSphere environment

Solution Verified - Updated

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 4
  • Installer Provisioned Infrastructure (IPI)
  • VMware vSphere

Issue

  • What are the minimum privileges required in a vSphere environment to run an IPI installation of OCP 4 and also for the MachineSet Operator on runtime?

  • How to restrain the user's privileges to deploy an IPI Openshift 4 cluster in a vSphere environment?

  • ServerFaultCode: Permission to perform this operation was denied inside Cloud-Controller

  • Storage cluster operator becomes un-upgradable, and it logs the error

    vspherecontroller.go:445] Marking cluster un-upgradeable because failed to find VM XXXXXX by UUID 000000000: 
ServerFaultCode: Permission to perform this operation was denied.

Resolution

Refer to the required vCenter account privileges section in the documentation for installing OCP 4 in vSphere.

Diagnostic Steps

  • Check the vSphere permissions using govc:

    ### check the role of the account
$ govc permissions.ls
### check the permissions of the role
$ govc role.ls '[role_name]'

  • Check the vSphere permissions using PowerCLI:

    > Get-VIPermission
> (Get-VIRole '[role_name]').PrivilegeList
> Get-VIPermission -Principal '[principal]'  | fl

  • Refer to vSphere Problem Detector Operator fails with permissions checks in OpenShift 4 for additional checks.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.