This topic describes how to deactivate VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) cluster admission control plugins.
For more information about Admission Control Plugins, see Using Admission Control Plugins for Tanzu Kubernetes Grid Integrated Edition Clusters.
Deactivating a Single Admission Control Plugin
To deactivate a single admission control plugin, do the following:
- Log in to VMware Tanzu Operations Manager (Ops Manager).
- Click the Tanzu Kubernetes Grid Integrated Edition tile.
- Select the plan where you configured the admission control plugin, such as Plan 1.
- Deselect the admission control plugin.
- Click Save.
- In the Errands pane, verify that Upgrade all clusters errand is activated.
- Return to Installation Dashboard and select Review Pending Changes.
- Click Apply Changes.
Alternatively, instead of enabling Upgrade all clusters errand, you can upgrade individual Kubernetes clusters through the TKGI Command Line Interface (TKGI CLI). For instructions on upgrading individual Kubernetes clusters, see Upgrading Clusters.
Deactivating an Orphaned Admission Control Plugin
The Ops Manager UI does not let you deselect (deactivate) all admission control plugins.
In other words, after an admission control plugin is activated, the Ops Manager UI requires that at least one admission control plugin check box is selected (activated).
To deactivate an orphaned Admission control Plugin, complete the following workflow:
- Obtain the FQDN, user name, and password of your Ops Manager.
- Authenticate into the Ops Manager API and retrieve a UAA access token to access Ops Manager. For more information, see Using the Ops Manager API.
-
Obtain the BOSH deployment name for the Tanzu Kubernetes Grid Integrated Edition tile by doing one of the following options:
-
Option 1: Use the Ops Manager API:
-
In a terminal, run the following command:
curl -i "https://OPS-MAN-FQDN/api/v0/staged/products" -X GET -H "Authorization: Bearer UAA-ACCESS-TOKEN" -k - In the output, locate the
installation_namethat begins withpivotal-container-service. - Copy the entire BOSH deployment name, including the unique GUID. For example,
pivotal-container-service-4b48fc5b704d54c6c7de.
-
-
Option 2: Use the Ops Manager UI:
- In Ops Manager, click the Tanzu Kubernetes Grid Integrated Edition tile.
-
Copy the BOSH deployment name including the GUID from the URL:
The deployment name contains “pivotal-container-service” and a unique GUID string. For example,pivotal-container-service-4b48fc5b704d54c6c7de.
-
-
To deactivate the orphaned admission control plugin, run the following Ops Manager API command:
curl -i "https://OPS-MAN-FQDN/api/v0/staged/pivotal-container-service-GUID/properties" \ -H "Authorization: Bearer UAA-ACCESS-TOKEN" \ -X PUT -d '{"properties": {".properties.PLAN-NUMBER_selector.active.admission_plugins":{"value":[]}}}' \ -H "Content-Type: application/json"Where:
OPS-MAN-FQDNis the URL of your Ops Manager.pivotal-container-service-GUIDis the BOSH deployment name of your Tanzu Kubernetes Grid Integrated Edition that you retrieved earlier in this procedure.UAA-ACCESS-TOKENis the UAA token you retrieved earlier in this procedure.PLAN-NUMBERis the plan configuration you want to update. For example,plan1orplan2.
For example:
$ curl -i "https://pcf.example.com/api/v0/staged/products/pivotal-container-service-4b48fc5b704d54c6c7de/properties" \ -H "Authorization: Bearer aBcdEfg0hIJKlm123.e" \ -X PUT -d '{"properties": {".properties.plan1_selector.active.admission_plugins":{"value":[]}}}' \ -H "Content-Type: application/json" -
From the output, verify that the command returns a
HTTP 200status code. -
Validate your manifest change in the Ops Manager UI. Do the following:
- Log in to Ops Manager.
- Select Review Pending Changes.
- On the Review Pending Changes pane, navigate to the Tanzu Kubernetes Grid Integrated Edition section and select SEE CHANGES.
-
Verify that the admission control plugins are displayed as removed in the Manifest section. For example:
-
Click Apply Changes.
