This topic provides considerations for using the NSX Policy API with VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) on vSphere.
Warning: The NSX Policy API feature is available at only 50% of NSX Management Plane API scale with VMware NSX v4.0.1.1. For detailed scale numbers, see NSX 4.0.1 Configuration Limits. To use Policy API at 100% of Management Plane API scale, you require VMware NSX v4.1.1.
NSX Policy API Support
The NSX Policy API is the next-generation interface for integrating with the NSX networking and security framework.
In addition to supporting the NSX Management API, TKGI supports using the NSX Policy API to deploy Tanzu Kubernetes Grid Integrated Edition on vSphere.
If you are planning on using the NSX Policy API, keep in mind that only new deployments of TKGI are supported. You cannot configure an existing installation of TKGI to use the NSX Policy API.
In addition, while all TKGI functionality is supported in both NSX modes, Policy and Management, there are some differences to be aware of when configuring NSX objects for TKGI, and when configuring the BOSH and TKGI tiles. These differences are described in more detail below.
NSX Versions
To use the NSX Policy API with your TKGI installation, you must use a supported NSX version. Refer to the Release Notes.
NSX Deployment Topologies
Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX supports several deployment topologies.
Currently Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX Policy API supports all network topologies except the VSS/VDS topology.
NSX Installation
To use the NSX Policy API, there are no changes required to the installation of the main NSX components, including NSX Manager and Edge Nodes.
For installation instructions, see Installing Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX Data Center.
NSX Objects for Kubernetes Clusters
To use the NSX Policy API, you must configure the required NSX control plane objects using the NSX Policy API or UI. Specifically, you must configure the Tier-0 Router (called Gateway in the Policy terminology), the Nodes IP Block, the Pods IP Block, and the Floating IP Pool need to be created using the Policy API or UI.
For specific instructions on creating the required objects, see Create the NSX Objects for Kubernetes Clusters Provisioned by TKGI.
TKGI Configuration
When you configure the BOSH Director tile for Tanzu Kubernetes Grid Integrated Edition, you must enable the option vCenter Config > NSX Networking > Use NSX Policy API. See Configure NSX Networking.
Also, when you configure the TKGI tile in Ops Manager, you must enabled Settings > Networking > NSX > Policy API mode. See Configure TKGI Networking.
Management Console
If you are using the TKGI Management Console, you need to select the Policy API in the TKGI configuration section.
Network Profile
Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX supports the use of Network Profile for modifying specific NSX settings post-installation. A limited number of network profile use cases are not supported when using TKGI with the NSX Policy API.
The Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX Policy API does not support either the “Top Firewall” or the “Bottom Firewall” DFW Section Markers. For more information, see DFW Section Markers.
The Tanzu Kubernetes Grid Integrated Edition on vSphere with NSX Policy API does not support NSGroups if you create the group in a domain other than the default. With the Policy API, a group must be part of a domain. The default domain is supported, and if you create the group using the NSX Policy interface, the group is automatically put in the default domain. However, if you use the Policy REST API to create a group in a domain other than the default, it is not supported.
