The last few months have been busy for the Tanzu Mission Control team. Since we launched the product in March, we have been working diligently every day to add more capabilities and features to the platform to help enterprises deliver a vision of true multicluster management across clouds.
Today we are proud to announce data protection, the latest capability designed to help enterprises more confidently and safely run critical workloads on Kubernetes. Now, with Tanzu Mission Control, cluster administrators can centrally manage data protection on their clusters across multiple environments with just a few clicks of a mouse, easily backing up and restoring their Kubernetes clusters and namespaces.
Tanzu Mission Control data protection
Every IT shop knows the importance of business continuity and service resilience. For as long as data has been written to digital media, there has been a need to save copies of it in the form of backups, “just in case.” For equally as long, data protection has been a key practice supporting companies’ disaster recovery and service resilience plans. Every IT discipline that deals with stateful data has a backup and recovery plan. As a Kubernetes administrator, you also need a data protection strategy that determines how you will recover your clusters and deployments “just in case.”
Kubernetes maintains a lot of state stored in the cluster itself, not just your application state. There are config maps, custom resource definitions, and secrets stored in the Kubernetes control plane, all of which are critical to your clusters’ operations. Protecting that data is as critical as it is with any other element of your IT infrastructure, so it should be covered by data protection and your disaster recovery plan.
Given that most of Kubernetes’ resources are ephemeral, it has often been thought of as a platform for stateless workloads. Initially, IT administrators formed similar opinions about virtualized and public cloud infrastructure. But Kubernetes resources like stateful sets and persistent volumes have matured to the point where IT operators feel comfortable deploying their stateful applications into their clusters. As this happens, you can no longer simply redeploy them. They too need to become assets protected by your data recovery strategy.
At VMware, we understand the needs and expectations of IT operations. It’s why we developed VMware Tanzu Mission Control, to provide a single point of control for your fleet of Kubernetes clusters.
In keeping with that vision, Tanzu Mission Control data protection is a point of control for backups and restores across your fleet. From the Tanzu Mission Control console/CLI/API, cluster administrators can easily back up and restore entire clusters or just a few applications. Developers, meanwhile, can rapidly clone namespaces from backup to allow testing of new features against a “point in time” dataset, or verify a new integration with a “known good” version of another application.
Data protection in VMware Tanzu Mission Control
Tanzu Mission Control data protection is built on a solid, open source foundation using the super popular Velero project. Tanzu Mission Control installs and manages the lifecycle of Velero so you don’t have to. Instead of operating Velero directly in every cluster, Tanzu Mission Control’s UI, CLI, or API allows you to centrally create backups and restores of all of your clusters regardless of where they are located.
You can back up and restore clusters, namespaces, and even groups of resources using Kubernetes label selectors. Tanzu Mission Control automatically passes these commands through its cluster agent technology and Velero executes the backups, delivering status, errors, and other details.
Tanzu Mission Control users can take advantage of data protection on any managed cluster, whether it was provisioned by Tanzu Mission Control or is attached, such as your TKGI clusters, for example. Simply enable data protection on the cluster from Tanzu Mission Control and our cluster agent goes to work installing Velero and making it ready for your first backup.
Tanzu Mission Control managed backup storage
The first iteration of data protection uses Amazon AWS’ S3 Object store in your account as an encrypted, fully managed backup target. Any persistent volumes attached to your pods will also be automatically snapshotted in AWS Elastic Block Store (EBS) and will be fully recoverable. To ensure that backups are securely stored, we isolate them in your S3 bucket and use short-lived passwords rotated every 30 minutes to control access. Of course, since it is your S3 bucket and EBS, in your account, you are always in control of the backup media; VMware is never in possession of your application data.
Backups are performed on a per-cluster basis and can save the entire cluster or a portion of it using namespaces or label selectors. When configuring a backup, set the backup retention period and Tanzu Mission Control data protection will remove old backups from storage, automatically minimizing your overall storage costs. When the time comes to delete a cluster, you can have Tanzu Mission Control clean up your backup storage or choose to retain it for future restores of the data to a new cluster.
Oops, someone just deleted a namespace by accident! Not to worry, you can use Tanzu Mission Control data protection to recover the namespace along with any persistent volumes from any of the cluster’s backups. Like with backups, you can recover an entire cluster or just a namespace or resource matching a label selector. Also like a backup, you will receive a detailed status or error report upon the completion of the restore job.
Other recent Tanzu Mission Control highlights
Besides data protection, we also recently released a number of new features to help our customers strengthen security and improve Kubernetes management.
Center for Internet Security (CIS) Benchmark inspection
Tanzu Mission Control inspections now supports a new scan type for your clusters using the CIS Benchmark. This new inspection will allow you to baseline the configuration of your deployed cluster and ensure it maintains compliance with this important industry security standard.
Provisioning clusters into existing VPCs
You can now use Tanzu Mission Control to provision clusters directly into your existing Amazon AWS Virtual Private Clouds (VPCs). You may have VPCs that are preconfigured with approved security groups, VPC peering, Marketplace apps, etc. Now your Tanzu Mission Control clusters can be targeted to deploy in those VPCs, sparing you the additional configuration.
Advanced cluster networking configuration
Do you have a need for a specific IP to address your Tanzu Mission Control-provisioned clusters? Maybe you have a Direct Connect or transit VPC that requires you to avoid overlapping IP addresses. Tanzu Mission Control now gives you additional controls to declare your pod and service network IP blocks using classless interdomain routing (CIDR) notation, which enables you to better fit your clusters into your existing network architecture.
IaaS account permissions
TMC allows you to create IaaS accounts and connect your AWS account to provision clusters and create backups. Now you can restrict and assign access to those accounts using Tanzu Mission Control access policies. In this way, you can limit access to different AWS accounts across your cluster groups so each team only sees authorized AWS accounts in which to create their clusters.
Audit log export
Tanzu Mission Control continuously collects and stores logs of audit events describing activities that occur in your organization. You can use it to generate and download reports of these events to understand "who" did "what" and "when."
We are adding new capabilities and features to our platform on a regular basis; please check Tanzu Mission Control release notes for the latest. To learn more about the platform in general, check our website or listen to this webcast. If you are interested in trying Tanzu Mission Control, contact us for a free trial.