Quick-Start Guide to Using VMware Tanzu Mission Control and vSphere with Tanzu Services

Explosive growth of web traffic and services is forcing organizations to modernize and optimize their infrastructures. Kubernetes is core to the strategy and modernization story, but it’s only one piece. As VMware engages with its customers, significant complexities and resource needs arise that are not always apparent in the planning stages of Kubernetes deployments. The complexity of even a single deployment can introduce delays and slow projects to a crawl. 

VMware Tanzu Mission Control is here to alleviate these complexities by ensuring that customers have consistent policy application on Kubernetes clusters throughout their organizations. This is done by unifying cluster management to a single control plane and grouping resources as a resource hierarchy.

This guide will help new users get started using Tanzu Mission Control to deploy Tanzu Kubernetes clusters on vSphere and shows how to begin organizing clusters with cluster groups to enforce consistent policies on future clusters.

This guide is intended to get anyone started quickly and will show how to do the following:

  • Create a cluster group

  • Register a vSphere with Tanzu Services Supervisor Cluster with Tanzu Mission Control

  • Deploy a Tanzu Kubernetes cluster

  • Create a basic policy to disable pod security

Cluster prerequisites: 

  • vCenter 7u3c with Tanzu Services enabled 

  • vSphere namespace created

Cluster network connectivity:

  • Outbound internet connectivity from supervisor and workload cluster nodes – Tanzu Mission Control requirements

  • Dedicated virtual distributed switch (vDS) networks for workload cluster

Create a cluster group

Cluster groups are needed to logically group clusters for organizational purposes and policy application. It is a recommended practice to use cluster groups to avoid mistakes with cluster configuration because cluster groups provide the ability to easily apply cluster policies and settings.

Begin by accessing your Tanzu Mission Control console via the URL provided after purchase or trial sign-up. This usually comes in the form of: <orgname>.tmc.cloud.vmware.com.

Click Cluster groups on the left menu, then click Create cluster group and enter a name for the cluster group. The cluster group can be named anything such as test, prod, alpha, beta, etc.

Screenshot showing how to create a cluster group in Tanzu Mission Control

Creating a cluster group in Tanzu Mission Control

Register a management cluster

The next phase will be registering the vSphere supervisor cluster as a Tanzu Mission Control management cluster. This provides Tanzu Mission Control the capability to provision and deploy Kubernetes clusters directly from the Mission Control interface without using the Tanzu CLI.

It is important to note that the vSphere supervisor cluster is the vSphere Kubernetes control plane and can be registered as a management cluster with Tanzu Mission Control, giving you the ability to provision Tanzu Kubernetes clusters.

Create the registration link in Tanzu Mission Control

Create the registration link for the supervisor cluster so that VMware Tanzu Kubernetes Grid clusters can be lifecycle managed and deployed through Tanzu Mission Control. 

Click Administration in the left menu bar, then Management clusters.

Screenshot showing how to create a registration link for a supervisor cluster in Tanzu Mission Control

Creating a registration link for a supervisor cluster in Tanzu Mission Control

Next, click on the Register management cluster dropdown and click vSphere with Tanzu (vSphere 7 with workload management enabled).

Screenshot showing how to register a management cluster in Tanzu Mission Control

Registering a management cluster in Tanzu Mission Control

In the first step of the registration wizard, be sure to select the cluster group created in earlier steps for the Default cluster group for managed workload clusters.

Screenshot showing how to select a cluster group in Tanzu Mission Control

Selecting a cluster group in Tanzu Mission Control

Copy the registration URL that is generated in step 3, as you will need this in the following step.

Screenshot showing how to find the registration URL for a management cluster in Tanzu Mission Control

Finding the registration URL for a management cluster in Tanzu Mission Control

Registering vSphere with Tanzu Services

Log in to your vCenter Server, click on the Inventory view, and click on the cluster with workload management enabled. Click the Configure tab, then scroll down to the TKG Service section, click Tanzu Mission Control, and paste the URL copied in the first step into the Registration URL box, then click Register.

Screenshot showing how to register a cluster in Tanzu Mission Control

Registering a cluster in Tanzu Mission Control

Once registration has been completed, you will verify that the cluster is appearing in Tanzu Mission Control. Open Tanzu Mission Control and click Administration, then Management clusters and verify your cluster shows in the list.

Screenshot showing how to verify that a new cluster appears in Tanzu Mission Control

Verifying that a new cluster appears in Tanzu Mission Control

Create a Tanzu Kubernetes Grid workload cluster

To begin utilizing workloads on Tanzu Kubernetes Grid, a Tanzu Kubernetes cluster needs to be created.

This next step assumes that a namespace has already been created on the vSphere supervisor cluster; if you have not created one already, the steps to create a vSphere namespace can be followed here. The vSphere namespace you create will be referred to as a provisioner from within Tanzu Mission Control.

In Tanzu Mission Control, click Clusters on the left, then in the top-right corner, click Create cluster.

Screenshot showing how to create a cluster in Tanzu Mission Control

Creating the cluster

Select the management cluster that was registered to Tanzu Mission Control and click Continue to create cluster.

Screenshot showing how to select a management cluster in Tanzu Mission Control

Selecting a management cluster in Tanzu Mission Control

In the next step, select the provisioner (which is the desired vSphere namespace) and click Next. Provide a cluster name and select the default cluster group that was created at the beginning. 

In step 3, select the Kubernetes version, network settings, and each desired storage class in the drop-down, then click Add storage class. You will know the storage class was added properly if the trash icon appears to the right of it.

Screenshot showing how to confirm the desired storage class

Confirming correct storage class

Note: It is recommended to select a Default storage class. Otherwise, you may run into issues deploying pods with dynamic persistent volumes.

Under Default storage class, select the desired default. As you can see here, I am using “vsan-default-storage-policy”.

Click Next and select the deployment plan that fits your needs.

Screenshot showing how to select a deployment plan in Tanzu Mission Control

Selecting a deployment plan in Tanzu Mission Control

Click Next and select the desired node pool settings, such as worker count, and click Create cluster

You will be taken to the status of the cluster where you can observe baseline health statistics once creation has completed.

Create a default security policy for testing

By default, Tanzu Kubernetes clusters have pod security policies (PSP) enabled that will prevent pods such as NGINX from running without proper permissions. Here, we are going to create a policy to disable these restrictions for the testing phase. Note that you want to disable these policies for testing purposes only.

In the left menu, click Policies then Assignments. Click the Security tab, then select your cluster group. Click Create security policy.

Screenshot showing how to create a default security policy in Tanzu Mission Control

Creating a default security policy in Tanzu Mission Control

Give the policy a name, then scroll down and toggle the radio button next to Disable native pod security policies.

Screenshot showing how to name a new security policy in Tanzu Mission Control

Naming a security policy in Tanzu Mission Control

You will be prompted to confirm whether you want to disable native policies. Click Disable native policies.

Screenshot showing how to disable native security policies in Tanzu Mission Control

Disabling native security policies in Tanzu Mission Control

For all production environments, it is highly recommended to re-enable these restrictions and scope your pods with the appropriate permissions. You can use the Disable policy enforcement toggle to log policy violations without enforcement so you can understand if you will encounter any pod issues prior to deployment.

Because Tanzu Mission Control’s policy engine is powered by Open Policy Agent Gatekeeper, minimal changes will be needed when pod security policies are removed from Kubernetes.

Learn more

This quick-start guide has shown how to create a cluster group, register a vSphere with Tanzu Services supervisor cluster with Tanzu Mission Control, create a Tanzu Kubernetes cluster through Mission Control and create your first cluster security policy.

With these foundational steps completed, you can begin taking advantage of the Tanzu Mission Control resource hierarchy with image registry policies and security policies, and start providing developers access to the newly provisioned Tanzu Kubernetes Grid clusters.

To learn more about Tanzu Mission Control, check out these additional resources:

Previous
Simplify, Secure, and Optimize your Multi-cloud Container Infrastructure with VMware Tanzu for Kubernetes Operations
Simplify, Secure, and Optimize your Multi-cloud Container Infrastructure with VMware Tanzu for Kubernetes Operations

Tanzu for Kubernetes Operations offers all the core elements needed to stand up and operate an enterprise-g...

Next
Learn How Tanzu Observability Helps OpenShift Users Manage the Grafana Licensing Change
Learn How Tanzu Observability Helps OpenShift Users Manage the Grafana Licensing Change

A change to Grafana licensing means limited functionality for users of some platforms that rely on it. Here...