This topic describes how to define network profiles for VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) provisioned Kubernetes clusters on vSphere with NSX.
Bootstrap Security Group
Most of the NSX-T virtual interface tags used by Tanzu Kubernetes Grid Integrated Edition are added to the Kubernetes control plane node or nodes during the node initialization phase of cluster provisioning. To add tags to virtual interfaces, the Kubernetes control plane node needs to connect to the NSX-T Manager API. Network security rules provisioned prior to cluster creation time do not allow nodes to connect to NSX-T if the rules are based on a Namespace Group (NSGroup) managed by Tanzu Kubernetes Grid Integrated Edition.
To address this bootstrap issue, Tanzu Kubernetes Grid Integrated Edition exposes an optional configuration parameter in Network Profiles to systematically add Kubernetes control plane nodes to a pre-provisioned NSGroup. The BOSH vSphere cloud provider interface (CPI) has the ability to use the NSGroup to automatically manage members following the BOSH VM lifecycle for Kubernetes control plane nodes.
To configure a Bootstrap Security Group, complete the following steps:
- Create the NSGroup in NSX Manager prior to provisioning a Kubernetes cluster using Tanzu Kubernetes Grid Integrated Edition. For more information, see Create an NSGroup in the NSX-T documentation.
-
Define a network profile that references the NSGroup UUID that the BOSH CPI can use to bootstrap the control plane node or nodes.
For example, the following network profile specifies an NSGroup for the BOSH CPI to use to dynamically update Kubernetes control plane node memberships:{ "name": "np-boot-nsgroups", "description": "Network Profile for Customer B", "parameters": { "master_vms_nsgroup_id": "9b8d535a-d3b6-4735-9fd0-56305c4a5293" } }
You cannot modify the Bootstrap Security Group configuration on an existing cluster.
