Skip to main content

vSphere with Tanzu (VKS) integration with NSX-T Part-2

 vSphere with Tanzu (VKS) integration with NSX-T Part-2


vSphere with Tanzu (VKS) integration with NSX-T Part-2

Introduction

In the first part of this series, we enabled vSphere with Tanzu on a compute cluster. This allowed developers to use this cluster to run K8s and container-based applications. Vsphere with Tanzu is using the functionality of NSX-T as a networking solution, vSAN as storage solution and so on.

In this part of the blog, we will set up a new Namespace for developers. Developers have two options. They can deploy their container-based application using a vSphere Pod. Alternatively, they can create a K8s cluster on top of a Namespace. In this blog, we will limit the resources a Namespace can use.

Diagram

To deploy, Kubernetes on the vsphere cluster, we have provisioned three ESXi hosts. These hosts are connected to DSwitch (vDS) on uplink-1 (vmnic0), uplink-2 (vmnic1) and are prepared for NSX-T consumption. The compute cluster is already enabled for vSphere HA (default settings), and DRS (fully automated). An edge is already deployed “SA-EDGE-01“. A Tier-0 (K8s-Tier-0) is already deployed. It is connected to the physical environment via BGP. All routes are redistributed to the physical router. For storage purposes, a vSAN (OSA) datastore has been created to provider storage to the K8s Pods

In the first blog, we already enabled the workload management via vSphere client. A cluster of three supervisor cluster has been deployed and a VIP is assigned to to this cluster. NSX-T native load balancing is being used to load balance traffic to this cluster.

NB: In the upcoming part, we will validate the prerequisites required. This will enable workload management for the VI workload domain via SDDC manager.

Configuration

Before we continue, we need to verify the creation of supervisor cluster. To verify, navigate to the Workload Management > Clusters. Cluster SA-Compute-01 is already enabled for vSphere with Tanzu or VMware Kubernetes services (VKS). The supervisor cluster is accessible via IP address 192.168.30.33 or by FQDN resolving to this IP address.

Let’s create our first Namespace “namespace-01“. To create a namespace, navigate to Workload Management > Namespaces, and click on Create Namespace.

A new namespace will be created on top of compute cluster “SA-Compute-01“, and give a name to the namespace “namespace-01”.

Our first namespace “namespace-01” has been created.

Now is the right time to give our developer team access to the Namespace. They can start creating their container-based application using vSphere Pod. They can also build a Kubernetes-based cluster, using either VKS (VMware Kubernetes Services) or Tanzu Kubernetes Grid Service. To add permission, Click on Add Permissions.

Now, lets storage policies vSphere Pod or K8s cluster can use. To add the storage policies, Click on Add Storage.

K8s Storage Policy is our SPBM (Storage based policy management) with FTT=1, Raid=1 policy on the vSAN datastore.

We can enforce limits on CPUmemory, and storage that a namespace will consume. Nevertheless, in this series, we are not enforcing any limits to our newly created namespace.

At last we need to allocate a VM class to our namespace. We can assign multiple VM classes to.a namespace. This VM class will be used by VKS to provide size to K8s worker and control node.

In our lab, we selected best-effort-small VM class for our namespace “namespace-01” due to resource constraints.

Until now, we successfully enabled “Workload Management” and built our first namespace “namespace-01“.

We haven’t configured any vSphere Pod and VKS cluster on our namespace. We will provision our vSphere Pod in our upcoming part of this series.

Let’s verify the same namespace using Kubectl command line interface.

Summary

In the first part of this series, we enabled vSphere with Tanzu on a compute cluster. This allowed developers to use this cluster to run K8s and container-based applicationsVsphere with Tanzu leverages the functionality of NSX-T as a networking solutionvSAN as storage solution and so on.

In this part, we successfully created our first namespace called namespace-01. We also provided necessary permissionsstorage policiesVM classes, and resource limits. We can also add content library to our VM class.

In upcoming parts, we will provision vSphere podsTKG cluster, allowing Harbor repository, and our first application using K8s. We will also verify the requirements from SDDC manager to allow VMware Kubernetes services on VI workload domain.

Comments

Post a Comment

Popular posts from this blog

  Issue with Aria Automation Custom form Multi Value Picker and Data Grid https://knowledge.broadcom.com/external/article?articleNumber=345960 Products VMware Aria Suite Issue/Introduction Symptoms: Getting  error " Expected Type String but was Object ", w hen trying to use Complex Types in MultiValue Picker on the Aria for Automation Custom Form. Environment VMware vRealize Automation 8.x Cause This issue has been identified where the problem appears when a single column Multi Value Picker or Data Grid is used. Resolution This is a known issue. There is a workaround.  Workaround: As a workaround, try adding one empty column in the Multivalue picker without filling the options. So we can add one more column without filling the value which will be hidden(there is a button in the designer page that will hide the column). This way the end user will receive the same view.  
Post a Comment
Read more

57 Tips Every Admin Should Know

Active Directory 1. To quickly list all the groups in your domain, with members, run this command: dsquery group -limit 0 | dsget group -members –expand 2. To find all users whose accounts are set to have a non-expiring password, run this command: dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0 3. To list all the FSMO role holders in your forest, run this command: netdom query fsmo 4. To refresh group policy settings, run this command: gpupdate 5. To check Active Directory replication on a domain controller, run this command: repadmin /replsummary 6. To force replication from a domain controller without having to go through to Active Directory Sites and Services, run this command: repadmin /syncall 7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands: set l echo %logonserver% 8. To see what account you are logged on as, run this command: ...
Post a Comment
Read more
  The Guardrails of Automation VMware Cloud Foundation (VCF) 9.0 has redefined private cloud automation. With full-stack automation powered by Ansible and orchestrated through vRealize Orchestrator (vRO), and version-controlled deployments driven by GitOps and CI/CD pipelines, teams can build infrastructure faster than ever. But automation without guardrails is a recipe for risk Enter RBAC and policy enforcement. This third and final installment in our automation series focuses on how to secure and govern multi-tenant environments in VCF 9.0 with role-based access control (RBAC) and layered identity management. VCF’s IAM Foundation VCF 9.x integrates tightly with enterprise identity providers, enabling organizations to define and assign roles using existing Active Directory (AD) groups. With its persona-based access model, administrators can enforce strict boundaries across compute, storage, and networking resources: Personas : Global Admin, Tenant Admin, Contributor, Viewer Projec...
Post a Comment
Read more