Posts

When using the Antrea CNI, it takes care of ip address management for each of the pods that are deployed onto the worker nodes. It achieves this with an OVS bridge named br-int on each of the nodes in the Tanzu kuberentes clusters. The OVS bridge also has a tunnel port that will create an overlay tunnel to other nodes in the Tanzu kubernetes clusters to enable inter-pod comms. Each worker node in the Tanzu kubernetes cluster is assigned its own unique /24 subnet....

Tanzu Kubernetes Releases are Kubernetes distributions that are signed and supported by VMware for Tanzu Kubernetes Clusters. More info here There are two ways in which you can populate the Tanzu Kubernetes Releases(images) in your vSphere with Tanzu environment. These images are OVF templates that are backed by a Photon OS VM and about 16GB in size. More info here Use a subscribed content library. The subscribed content library will synchronize with a public VMware content library: https://wp-content....

To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “) The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....

ESXi uses daemon sandboxing as a means of access control between Userworlds(hostd, vpxa, etc.) and Objects(Files, directories, network sockets, etc.) Secpolicytools helps you list and tweak the security policies that are defiend under each domain(daemon sandbox) [root@esx01:~] secpolicytools -h Usage: secpolicytools <options> -r|--reset Reset all policy rules. -p|--load-policy[policy dir] Load a predefined policy. A default dir of /etc/vmware/secpolicy will be used. -d|--display-policy Display the current policy. -D|--lookup-domain <label> Lookup the value of a domain label....

Lately I’ve been using multiple notes to keep a track of all the kubectl commands that I’ve come across when troubelshooting vSphere with Tanzu. The idea behind this post is to create a reference kubectl cheat sheet for all kubectl commands in vSphere with Tanzu. Login LOGIN TO A SUPERVISOR CLUSTER Command: kubectl vsphere login –server IP/FQDN -u USERNAME –insecure-skip-tls-verify Example: kubectl vsphere login --server kube.gs.labs -u administrator@vsphere.local --insecure-skip-tls-verify LOGIN TO A GUEST CLUSTER...