This topic describes how to create and use Kubernetes profiles for VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) provisioned Kubernetes clusters.
Kubernetes profiles enable TKGI cluster administrators and cluster managers to customize Kubernetes component settings for their TKGI-provisioned Kubernetes clusters.
You can use a TKGI Kubernetes profile to configure Kubernetes components, such as kube-apiserver
on the control plane or the kubelet
on each node. Uses for Kubernetes profiles include encrypting secrets in an etcd database, adding an OIDC provider, and using a ResourceQuota
admission control plugin. For more information about supported configurations, see TKGI Kubernetes Profile Use Cases below.
To create a TKGI Kubernetes profile:
To manage Kubernetes profiles:
To use a Kubernetes profile:
Only TKGI cluster administrators and TKGI cluster managers can work with Kubernetes profiles:
For information about the permissions required to create or use a Kubernetes profile, see Who Creates and Manages TKGI Kubernetes Profiles below.
To create and use a Kubernetes profile, you must have the either the pks.clusters.admin
or pks.clusters.manage
role.
If a user with the pks.clusters.admin-read-only
role attempts to create a Kubernetes profile, they see the following error:
You do not have enough privileges to perform this action. Please contact the TKGI administrator.
In the TKGI CLI, all commands that include k8s-profile
are aliased to also use kubernetes-profile
. For example, the tkgi k8s-profiles
and tkgi kubernetes-profiles
commands are equivalent.
For brevity, this documentation uses the k8s-
versions.
To create a TKGI Kubernetes profile:
Create a JSON-formatted Kubernetes profile. For information on the supported Kubernetes profile format, see TKGI Kubernetes Profile Format below.
Use the TKGI CLI to define the Kubernetes profile within TKGI. For information on creating the Kubernetes profile, see The tkgi create-k8s-profile
Command, below.
To create a Kubernetes profile, you must first define the profile configuration using a JSON-formatted file that specifies Kubernetes parameters. For information on the supported configurations, see TKGI Kubernetes Profile Parameters below.
The basic structure of a Kubernetes profile:
{
"name": "PROFILE-NAME",
"description": "PROFILE-DESCRIPTION",
"customizations": [
{
"component": "K8-COMPONENT-NAME",
"arguments": {
"KEY": "VALUE"
}
}
],
"experimental_customizations": [
{
"component": "K8-COMPONENT-NAME",
"arguments": {
"KEY": "VALUE"
}
}
]
}
Where:
PROFILE-NAME
is your name for the Kubernetes profile.PROFILE-DESCRIPTION
is a short description of the profile.K8-COMPONENT-NAME
is the name of the Kubernetes component to customize. For example, kube-apiserver
or kubelet
.KEY
is a supported Kubernetes component parameter. For example, service-node-port-range
, maximum-dead-containers
, or feature-gates
.VALUE
is a value for the parameter. For example, APIListChunking=true
.The Kubernetes profile JSON can include the following parameters:
Parameter | Type | Description |
---|---|---|
name * |
String | Name of the Kubernetes profile. |
description |
String | Description of the Kubernetes profile. |
customizations * |
Map | A block that defines supported, validated K8s options using the component , arguments ,and file-arguments parameters below. |
experimental_ |
Map | A block that defines unsupported, unvalidated K8s options using the component , arguments ,and file-arguments parameters below. |
component * |
String | The name of a K8s component, e.g. kubelet , kube-apiserver . |
arguments * |
Map | Parameters for each component, as one or more Key:Value pairs. Multiple values must be separated by commas, without spaces. |
file-arguments * |
Map | Parameters whose values are stored as files on the local machine. |
*Parameters marked with an *
are mandatory.
Note: If you specify the same parameter in both customizations
and experimental_customizations
, the configuration in customizations
takes precedence.
tkgi create-k8s-profile
CommandAfter you have defined a Kubernetes profile configuration in a JSON file you can create the Kubernetes profile in TKGI.
You must be either a TKGI cluster administrator or cluster manager to create a Kubernetes profile in TKGI.
To create a Kubernetes profile in TKGI, run the following TKGI CLI command:
tkgi create-k8s-profile CONFIGURATION-FILE
Where CONFIGURATION-FILE
is the path to a JSON configuration file defining your Kubernetes profile. For information on the required JSON file format, see Kubernetes Profile Format above.
For example:
cat profile3-docs.json
{
"name": "my-profile3",
"description": "My profile description",
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"service-node-port-range": "30000-40000"
}
}
],
"experimental_customizations": [
{
"component": "kubelet",
"arguments": {
"maximum-dead-containers": "1000",
"feature-gates": "APIListChunking=true"
}
}
]
}
user ~/workspace: ./tkgi create-k8s-profile k8s-profile3.json
Kubernetes profile my-profile3 successfully created
Tanzu Kubernetes Grid Integrated Edition cluster administrators and managers can perform the following operations on Kubernetes profiles and the clusters that use them:
To list available Kubernetes profiles, run the following command:
tkgi k8s-profiles
For example:
$ tkgi k8s-profiles
K8s-profile Owner Created Date
Basic-k8s-profile Alana Tue, 05 Nov 2019 16:28:15 PST
The command output differs by user role:
- pks.cluster.admin
see a list of Kubernetes profiles that all users created.
- pks.cluster.manage
see a list of only the Kubernetes profiles that they created.
To delete a Kubernetes profile, run the following command:
tkgi delete-k8s-profile KUBERNETES-PROFILE-NAME
Where KUBERNETES-PROFILE-NAME
is the name of the Kubernetes profile you want to delete.
For example:
$ user ~/workspace: ./tkgi delete-k8s-profile my-profile3
Are you sure you want to delete the Kubernetes profile my-profile3? (y/n): y
Deletion of my-profile3 completed
Note: You cannot delete a Kubernetes profile that is in use. Before deleting a Kubernetes profile, you must disassociate it from all clusters or delete all clusters it is associated with.
Both pks.clusters.admin
and pks.clusters.manage
users can delete Kubernetes profiles. If a pks.clusters.admin-read-only
user attempts to delete a Kubernetes profile, they see the following error:
You do not have enough privileges to perform this action. Please contact the TKGI administrator.
To view details of a TKGI Kubernetes profile, run the following command:
tkgi k8s-profile KUBERNETES-PROFILE-NAME
Where KUBERNETES-PROFILE-NAME
is the name of the Kubernetes profile you want to view.
For example:
tkgi k8s-profile Basic-k8s-profile
Name: Basic-k8s-profile
Owner: Alana
Created Date Tue, 05 Nov 2019 16:28:15 PST
Description: Kubernetes profile for customer A
….
<KEY> : <VALUE>
pks.cluster.admin
can view the details of any Kubernetes profile; users with the pks.cluster.manage
role can view details of Kubernetes profiles that they created.
Kubernetes profiles let you customize Kubernetes configuration parameters at the time of cluster creation. You can also assign a custom Kubernetes configuration to an existing cluster.
For information on how to assign a Kubernetes Profile to a cluster:
For information on the supported scenarios for using Kubernetes Profiles:
You can assign a Kubernetes profile to a Kubernetes cluster at the time of cluster creation.
To create an Tanzu Kubernetes Grid Integrated Edition-provisioned Kubernetes cluster with a Kubernetes profile, run the following command:
tkgi create-cluster CLUSTER-NAME --external-hostname HOSTNAME --plan PLAN-NAME --kubernetes-profile KUBERNETES-PROFILE-NAME
Where:
CLUSTER-NAME
is a unique name for your cluster. Note: Use only lowercase characters when naming your cluster if you manage your clusters with Tanzu Mission Control (TMC). Clusters with names that include an uppercase character cannot be attached to TMC.
HOSTNAME
is your external hostname used for accessing the Kubernetes API.PLAN-NAME
is the name of the Tanzu Kubernetes Grid Integrated Edition plan you want to use for your cluster.KUBERNETES-PROFILE-NAME
is the name of the Kubernetes profile you want to use for your cluster.TKGI supports changing the Kubernetes profile for an already created cluster. You can use this procedure to:
WARNING: Update the Kubernetes profile only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.
This is the procedure to change a cluster’s Kubernetes profile:
Do one of the following
If you are updating a cluster that uses a public cloud CSI driver, see Limitations on Using a Public Cloud CSI Driver in Release Notes for additional requirements.
Run the following command to update the cluster with the new Kubernetes profile:
tkgi update-cluster CLUSTER-NAME --kubernetes-profile NEW-KUBERNETES-PROFILE-NAME
Where:
CLUSTER-NAME
is the name of the existing Kubernetes cluster.NEW-KUBERNETES-PROFILE-NAME
is the name of the new Kubernetes profile you want to apply to the cluster.A Kubernetes profile configures settings for Kubernetes components in two JSON code blocks, customizations
and experimental_customizations
. See Kubernetes Profile Format for details. The code blocks differ as follows:
customizations
block:
tkgi create-k8s-profile
on a profile with invalid configurations in customizations
, the command returns an error.experimental_customizations
block:
Warning: Experimental customizations are not validated or supported.
Kubernetes profiles let you customize the Kubernetes configuration parameters on a cluster.
Use cases for Kubernetes profiles include:
Use Case | Description |
---|---|
Encrypt a secret in an etcd database. | Use an encryption provider to encrypt secrets in a cluster’s etcd database. For more information, see Encrypt Secrets in an etcd Database. |
Limit the resource usage of incoming requests. | Use the ResourceQuota admission control plugin to restrict incoming requests by resource usage. For more information, see Admission Control: ResourceQuota below. |
Assign an IP range for the NodePort Service. | Use service-node-port-range to specify an IP range for for NodePort services. For more information, see Set Service Node Port Range below. |
Add an OIDC provider. | Customize a cluster’s OIDC provider by deploying a dex connector or other OIDC provider to its pod. For more information, see Adding an OIDC Provider. |
Restrict Apiserver client authentication. | Set requestheader-allowed-names for Apiserver client authentication. For more information, see Restrict Request Header Names below. |
Define the service cluster IP range. | Change the service cluster IP range. For more information, see Modify the Service Cluster IP Range below. |
Configure Pod Security Admission. | Configure cluster-specific PSA in TKGI. For more information, see Pod Security Admission in a TKGI Cluster in Pod Security Admission in TKGI. |
To create a Kubernetes profile that includes the ResourceQuota
admission control plugin:
Include the following customizations
in your profile configuration file:
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"enable-admission-plugins": PLUGINS-LIST
}
}
],
Where:
PLUGINS-LIST
is one of the following:
"ResourceQuota"
.ResourceQuota
.For more information, see ResourceQuota in the Kubernetes documentation.
To create a Kubernetes profile that uses service-node-port-range
for NodePort
type services:
Include the following customizations
in your profile configuration file:
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"service-node-port-range": PORT-RANGE
}
}
],
Where PORT-RANGE
is a CIDR notation IP range from which to assign service cluster IPs, such as 30000-40000
.
If the specified PORT-RANGE
is not valid, the tkgi create-k8s-profile
command returns an error invalid value for service-node-port-range
.
For more information, see Type NodePort in the Kubernetes documentation.
To create a Kubernetes profile that uses requestheader-allowed-names
for Apiserver client authentication:
Include the following customizations
in your profile configuration file:
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"requestheader-allowed-names": COMMON-NAMES
}
}
],
Where COMMON-NAMES
is a string list of valid Common Name values in the signed client certificate, such as "cn1.com,c2.com"
.
For more information, see Kubernetes Apiserver Client Authentication in the Kubernetes documentation.
To create a Kubernetes profile that modifies the service cluster IP range:
Include the following customizations
in your profile configuration file:
"customizations": [
{
"component": "kube-apiserver",
"arguments": {
"service-cluster-ip-range": IP-RANGE
}
}
],
Where IP-RANGE
is a CIDR notation IP range from which to assign service cluster IPs. The IP range can be a maximum of two dual-stack CIDRs and must not overlap with any IP ranges assigned to nodes or pods.
For more information, see kube-apiserver Options in the Kubernetes documentation.