Managing Kubernetes at enterprise scale: A closer look at Tanzu Mission Control

March 19, 2020 ningg

As Kubernetes continues to mature—rounding the corner toward its 6th birthday—we’ve started to see a shift in terms of the challenges our customers need to solve. Initially, Kubernetes installation was complex. As multiple solutions for installation and lifecycle management sprang up, companies seeking to adopt Kubernetes had to figure out the right approach. With the open source community standardizing on technologies like Cluster API for installation and declarative lifecycle management of multiple clusters, we’re now seeing a path toward consistency in this respect across clouds. We’re also seeing a shift in how our customers build their Kubernetes environments. Customers are shifting away from deploying one large cluster for workloads that is subdivided using namespaces. Instead customers are adopting a more resilient architecture that enables the deployment of many workload clusters and an ephemeral, “cluster-as-cattle” mentality to proactively reduce their business risk. With installation becoming easier, and multi-cluster architectures becoming standard, what’s the next challenge to tackle? True multi-cluster management. At VMware, we work with the world’s largest companies, for whom even a small-scale security breach would make front-page headlines. That means we had to approach the challenge of multi-cluster management with security and compliance as a top concern—while also considering enterprise size and scale concerns. Within large enterprise companies, Kubernetes adoption typically happens in pockets across application teams, who may be running Kubernetes in different environments. So we needed a solution to help our customers manage and govern multiple clusters, deployed across multiple clouds by multiple teams. Earlier this month, we announced the availability of VMware Tanzu Mission Control. Tanzu Mission Control is a centralized management platform for consistently operating and securing Kubernetes infrastructure and modern applications across teams and clouds. Let’s take a closer look at how this solution can help you more rapidly adopt, scale, and secure Kubernetes across your organization.

Centralized management across teams and clouds

One of the key functionalities of Tanzu Mission Control is its ability to centralize your entire Kubernetes footprint across clusters, teams and clouds. This centralization allows for much more efficient management at scale. Centralized multi-cluster lifecycle management Tanzu Mission Control enables automated provisioning and lifecycle management of Kubernetes clusters across different environments. Today, it supports provisioning, scaling, upgrading and deleting clusters in Amazon EC2, with support for vSphere and other public clouds coming soon. It keeps your operational burden low, while providing access to the Kubernetes control plane if you need it, for security or auditing purposes. Behind the scenes the open source technology Cluster API brings declarative, Kubernetes-style APIs to cluster creation, configuration, and management. Check out this demo showing you how to add your AWS EC2 account to Tanzu Mission Control and provision new clusters.  
  Attachment of any CNCF-conformant clusters In addition to provisioning clusters, Tanzu Mission Control also allows you to attach any CNCF-conformant clusters to the platform no matter where the clusters are running—on-prem, in public clouds, through various Kubernetes vendors such as Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), OpenShift, and at the edge. You now have your entire Kubernetes footprint under one single control point.  
Existing clusters from different environments are attached to Tanzu Mission Control for centralized management
  Centralized policy management and governance Another unique feature of Tanzu Mission Control is its ability to group your clusters and namespaces across clouds for efficient policy management at scale. It allows you to group your clusters into Cluster Groups so you can easily apply policies to a fleet of clusters instead of using the old cluster-by-cluster approach. In addition, we have introduced a new concept called a Workspace, with which you can group namespaces together across multiple clusters for applying policies at scale. Currently Tanzu Mission Control supports the enforcement of access, image registry, and network policies, with more policies—like backup and recovery and pod security policies—coming soon. Check out the demo below to see how to apply access policy to a group of clusters using Tanzu Mission Control.  
  Global observability and diagnostics With Tanzu Mission Control, you can view the health of all your clusters and workloads from a centralized point, for quick diagnosis and troubleshooting. For more advanced troubleshooting, you can also use third-party observability and monitoring solutions with Tanzu Mission Control, such as Prometheus or Tanzu Observability by Wavefront, to get more deeper insights.  
  Tanzu Mission Control visualizes the health status of your Kubernetes components

Enable your developers with easy access to Kubernetes across clouds

With Tanzu Mission Control, Kubernetes operators can easily enable developers with self-service access to clusters and namespaces running in multiple clouds with its support for quick provisioning of new clusters across clouds. In addition, it also includes features to help really streamline such enablement. Application-centric policy management Modern applications today leverage microservices which may reside at different places on-prem or in clouds. This is why we introduced the Workspace concept to help you group different namespaces running in multiple clusters across multiple environments together. Such an application-centric approach really comes in handy when you manage your Kubernetes from a developer’s point of view. Operators can apply application-specific policy quickly to Workspaces so that your developers can easily and safely access the Kubernetes namespaces where their applications are running within all the guardrails put in place readily for them.  
Instantly grant your developer access to a Workspace via the policy engine
  Centralized authorization and authentication with easy access control Tanzu Mission Control also expedites your developers’ access to Kubernetes through its centralized authentication and authorization and the ability to federate identity from multiple sources, such as AD, LDAP, and SAML. It uses VMware Cloud Services to manage access, allowing you to set up federation with your corporate domain. Your developers can use your organization's existing single sign-on and identity source to sign in to VMware Cloud Services and access the right Kubernetes resources.

Secure your Kubernetes footprint across teams and clouds

Tanzu Mission Control includes some key features to help address enterprise security needs. Cluster inspection Cluster inspection is a unique feature of Tanzu Mission Control which can be used as a preventative measure against potential risks. Today, Tanzu Mission Control supports conformance inspection, which validates the binaries running on your cluster and ensures that your cluster is properly installed, configured, and working according to industry standards. Under the hood of this feature is an open source technology called Sonobuoy, a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of Kubernetes conformance tests in a non-destructive manner. Sonobuoy is the tool that the CNCF uses for its own conformance testing. Security policies With Tanzu Mission Control, you will be able to efficiently apply security related policies such as access policies, which allow you to make sure only the right person can access certain resources; image registry policies, which let you prevent unauthorized container images from being pulled and causing security breaches, and; network policies, which enable you to define how pods communicate with each other and other network endpoints to improve your network security. More security related policies are on the roadmap. In summary, as a centralized Kubernetes management platform, Tanzu Mission Control provides enterprises with a single control point to give developers the independence they need to drive business forward, while enabling consistent management and operations for increased security and governance. To learn more about Tanzu Mission Control, check out our website, watch these product demos or, and try the Hands-on-lab. If you are interested in talking to our Kubernetes expert for a tailored demo, contact us here.

VMware Tanzu Application Service 2.9: Key Enhancements for Transformation at Scale
VMware Tanzu Application Service 2.9: Key Enhancements for Transformation at Scale

VMware Tanzu Application Service 2.9 is now generally available. This post reviews important enhancements t...

vSphere 7 and Tanzu Kubernetes Grid = Powerful Platform for Architecting Modern Apps
vSphere 7 and Tanzu Kubernetes Grid = Powerful Platform for Architecting Modern Apps

This latest version of vSphere has numerous added features, including native integration of the Tanzu Kuber...

SpringOne at VMware Explore 2023

Learn More