Prepare to Deploy Management Clusters

Before you can use the Tanzu CLI or installer interface to deploy a management cluster, you must make sure that your infrastructure provider is correctly set up.

• For information about how to set up a vSphere infrastructure provider, see Prepare to Deploy Management Clusters to vSphere.
• For information about how to set up an Amazon EC2 infrastructure provider, see Prepare to Deploy Management Clusters to Amazon EC2.
• For information about how to set up a Microsoft Azure infrastructure provider, see Prepare to Deploy Management Clusters to Microsoft Azure.

External Identity Management

For production deployments, VMware recommends enabling external identity management on each management cluster, to control access to it and its workload clusters.

• For information about the preparatory steps to perform before you deploy a management cluster, see Obtain Your Identity Provider Details in Configure Identity Management.
• For conceptual information about identity management and access control in Tanzu Kubernetes Grid, see About Identity and Access Management.

FIPS-Capable Version (v1.5.3)

To prepare to deploy a FIPS-capable Tanzu Kubernetes Grid v1.5.3 management cluster on vSphere, with a Bill of Materials (BoM) that only lists components that are compiled with and use FIPS-compliant cryptography modules:

1. Import a FIPS-enabled Kubernetes v1.22.8 OVA into vSphere, as described in Import a Base Image Template into vSphere.

2. On your bootstrap machine, set the following environment variable:

   export TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH=fips/tkg-compatibility
   

3. If you have a ~/.config/tanzu/tkg directory from installing the Tanzu CLI previously, remove or rename its bom and compatibility directories:

   mv bom bom.old
   mv compatibility compatibility.old
   

4. Set tls-cipher-suites flags to FIPS-compliant ciphers for api-server, kube-scheduler, kube-controller-manager, etcd, and kubelet, by using a ytt overlay as described in ytt Overlays.

   • For details, or for STIG compliance, please contact your VMware representative.
   • Depending on your cloud infrastructure, you may also need to define additional ciphers.

Now, when you deploy a management cluster with the TKG_CUSTOM_COMPATIBILITY_IMAGE_PATH setting above, the CLI downloads and deploys FIPS-compliant core components that use cryptographic primitives provided by a FIPS-compliant library based on the BoringCrypto / Boring SSL module. These core components include components of Kubernetes, Containerd and CRI, CNI plugins, CoreDNS, and etcd.

The CLI confirms these FIPS-compliant BoM downloads with output that resembles:

Downloading TKG compatibility file from 'projects.registry.vmware.com/tkg/fips/tkg-compatibility'
Downloading the TKG Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkg-bom:v1.5.3-fips.1'
Downloading the TKr Bill of Materials (BOM) file from 'projects.registry.vmware.com/tkg/tkr-bom:v1.22.8_vmware.1-fips.1-tkg.1'

Internet-Restricted Environments

If you need to deploy Tanzu Kubernetes Grid in an environment with no external Internet access, see Prepare an Internet-Restricted Environment.

VMWare Cloud on AWS and Azure VMware Solution

To deploy Tanzu Kubernetes Grid to VMware Cloud on AWS or to Azure VMware Solution, see Prepare a vSphere Management as a Service Infrastructure.