Managing Kubernetes at Enterprise Scale: A Closer Look at Tanzu Mission Control

March 19, 2020 Ning Ge

As Kubernetes continues to mature—it’s currently rounding the corner toward its sixth birthday—we’ve started to see a shift in terms of the challenges our customers need to solve.

Initially, Kubernetes installation was complex. As multiple solutions for installation and lifecycle management sprang up, companies seeking to adopt Kubernetes had to figure out the right approach. Now, with the open-source community standardizing on technologies like Cluster API for installation and a declarative lifecycle management of multiple clusters, we’re seeing a path toward consistency across clouds. 

We’re also seeing a shift in how our customers build their Kubernetes environments. Customers are shifting away from deploying one large cluster for workloads that is subdivided using namespaces. Instead, they are adopting a more resilient architecture that enables the deployment of many workload clusters and an ephemeral “cluster-as-cattle” mentality to proactively reduce their business risk. 

With installation becoming easier, and multi-cluster architectures becoming standard, what’s the next challenge to tackle? True multi-cluster management. At VMware, we work with the world’s largest companies, for which even a small-scale security breach could make front-page headlines. That means we had to approach the challenge of multi-cluster management with security and compliance as a top concern—while also considering enterprise size and scale. Within large enterprises, Kubernetes adoption typically happens in pockets across application teams, who may be running it in different environments. So we needed a solution that would help our customers manage and govern multiple clusters deployed across multiple clouds by multiple teams. 

To that end, earlier this month we announced the availability of VMware Tanzu Mission Control, a centralized management platform for consistently operating and securing Kubernetes infrastructure and modern applications across teams and clouds. 

Let’s take a closer look at how this solution can help you rapidly adopt, scale and secure Kubernetes across your organization. 

Centralized management across teams and clouds  

One of the key capabilities of Tanzu Mission Control is its ability to centralize your entire Kubernetes footprint across clusters, teams and clouds. This centralization allows for much more efficient management at scale. 

Centralized multi-cluster lifecycle management 

Tanzu Mission Control enables automated provisioning and lifecycle management of Kubernetes clusters across different environments (it currently supports provisioning, scaling, upgrading and deleting clusters in Amazon EC2). It keeps your operational burden low, while providing access to the Kubernetes control plane, when you need it, for security or auditing purposes. Behind the scenes, the open-source technology Cluster API brings declarative, Kubernetes-style APIs to cluster creation, configuration and management. 

Check out this demo showing you how to add your AWS EC2 account to Tanzu Mission Control and provision new clusters. 

Attachment of CNCF-conformant clusters 

In addition to provisioning clusters, Tanzu Mission Control allows you to attach any CNCF-conformant clusters to the platform, no matter where they are running—on-prem; in public clouds; through various Kubernetes offerings such as Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service (AKS), Google Kubernetes Engine (GKE), and OpenShift; and at the edge. You now have your entire Kubernetes footprint under one single control point.

Tanzu Mission Control

Existing clusters from different environments are attached to Tanzu Mission Control for centralized management. 

Centralized policy management and governance

Another unique feature of Tanzu Mission Control is its ability to group your clusters and namespaces across clouds for efficient policy management at scale. It allows you to gather your clusters into Cluster Groups so you can easily apply policies to a fleet of clusters instead of using the old, cluster-by-cluster approach. In addition, we have introduced a new concept called Workspaces, which you can use to group namespaces together across multiple clusters to apply policies at scale. Currently, Tanzu Mission Control supports the enforcement of access, image registry and network policies. 

Check out the demo below to see how to apply access policy to a group of clusters using Tanzu Mission Control. 

Global observability and diagnostics

With Tanzu Mission Control, you can view the health of all your clusters and workloads from a centralized point for quick diagnosis and troubleshooting. For more advanced troubleshooting, you can also use third-party observability and monitoring solutions, such as Prometheus or Tanzu Observability by Wavefront, with Tanzu Mission Control to get deeper insights.

Tanzu Mission Control visualizes the health status of your Kubernetes components.

Enable your developers with easy access to Kubernetes across clouds

With Tanzu Mission Control’s support for quick provisioning of new clusters across clouds, Kubernetes operators can easily enable developers with self-service access to clusters and namespaces running in multiple clouds. In addition, Tanzu Mission Control includes a few other features to help streamline such enablement.

Application-centric policy management

Modern applications leverage microservices, which may reside at different places on-prem or in clouds. This is why we introduced the Workspaces concept, to help group together different namespaces running in multiple clusters across multiple environments. This application-centric approach really comes in handy when you need to manage Kubernetes from a developer’s point of view. Operators can quickly apply application-specific policy to workspaces so that developers can easily and quickly access the Kubernetes namespaces where their applications are running, within all the guardrails put in place readily for them.

Instantly grant your developer access to a workspace via the policy engine.

Centralized authorization and authentication with easy access control

Tanzu Mission Control also expedites your developers’ access to Kubernetes through its centralized authentication and authorization and the ability to federate identity from multiple sources, such as AD, LDAP and SAML. It uses VMware Cloud Services to manage access, allowing you to set up federation with your corporate domain. Your developers can use your organization's existing single sign-on and identity source to sign in to VMware Cloud Services and access the right Kubernetes resources. 

Enhance the security of your Kubernetes footprint  across teams and clouds

Tanzu Mission Control includes some key features to help address enterprise security needs.

Cluster inspection

Cluster inspection is a unique feature of Tanzu Mission Control, and can be used as a preventative measure against potential risks. Tanzu Mission Control today supports conformance inspection, which validates the binaries running on your cluster and checks if your cluster is properly installed, configured and working according to industry standards. 

Under the hood of this feature is an open-source technology called Sonobuoy, which is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of Kubernetes conformance tests in a non-destructive manner. Sonobuoy is the tool that the CNCF uses for its own conformance testing.

Security policies

With Tanzu Mission Control, you will be able to efficiently apply security-related policies, such as: 

  • access policies, which allow you to make sure only the right person can access certain resources; 

  • image registry policies, which let you prevent unauthorized container images from being pulled, causing security breaches; 

  • network policies, which enable you to define how pods communicate with each other as well as with other network endpoints to improve network security. 

In summary, Tanzu Mission Control, a centralized Kubernetes management platform, provides enterprises with a single control point to give developers the independence they need to drive business forward while enabling consistent management and operations for increased security and governance. 

To learn more about Tanzu Mission Control, check out our website, watch these product demos, or and try a Hands-on lab. If you are interested in talking to our Kubernetes expert for a tailored demo, contact us here.

About the Author

Ning Ge

Ning currently works as a product line marketing manager in VMware’s Modern Apps Platform business unit, responsible for product marketing for VMware’s Kubernetes portfolio of products and services. Ning has over 8 years’ experience in infrastructure and middleware business with 4 years’ experiences working around container and Kubernetes technologies and products.

More Content by Ning Ge
Previous
Hello World, Meet VMware CRE
Hello World, Meet VMware CRE

VMware Customer Reliability Engineering (CRE) helps customers take the principles of Site Reliability Engin...

Next
Connecting Spring Boot Applications to Distributed SQL with YugabyteDB Running on PKS
Connecting Spring Boot Applications to Distributed SQL with YugabyteDB Running on PKS

Step-by-step instructions for how to connect Spring Boot Applications to Distributed SQL with YugabyteDB Ru...

SpringOne. Catch all the highlights

Watch now