Upgrade an Internet-Restricted Deployment

This topic describes how to upgrade management and workload clusters to Tanzu Kubernetes Grid v2.1 in an internet-restricted environment on vSphere and AWS.


In the TKG upgrade path, v2.1 immediately follows v1.6. TKG 2.0 is not a downloadable version, but instead refers to using the Tanzu CLI in TKG v1.6 with a Supervisor integrated within vSphere 8.

This procedure is required for both major v1.6.x to v2.1.x and patch v2.1.x to v2.1.y upgrades.


All clusters use one-year client certificates and upgrading a cluster renews its certificate, so VMware recommends upgrading your clusters at least once a year.

Upgrade an Internet-Restricted vSphere Deployment

If you deployed the previous version of Tanzu Kubernetes Grid in an Internet-restricted environment, do the following steps on a machine with an Internet connection.

  1. Download and install the new version of the Tanzu CLI. See Download and Install the Tanzu CLI and Other Tools.

  2. Perform the steps in Prepare to Upgrade Clusters on vSphere to deploy the new base OS image OVA files.

  3. Perform the steps in Prepare an Internet-Restricted Environment to run the required scripts.

If you have an script files from a previous deployment, you must still regenerate the images-copy-list so that it includes the latest component versions, and then run download-images.sh on the new images-copy-list to save them to your local private Docker registry.

Upgrade an Internet-Restricted AWS Deployment


To upgrade an internet-restricted Tanzu Kubernetes Grid deployment on AWS to TKG v2.1.x, you must have:

  • Tanzu Kubernetes Grid v1.6 or an earlier patch version of TKG v2.1 running in an offline AWS environment with Linux machines and an image registry as described in Prepare an Internet-Restricted Environment.
    • You cannot upgrade to Tanzu Kubernetes Grid v2.1 from v1.5 or earlier versions. You must first upgrade to a v1.6 version as described in Upgrade Tanzu Kubernetes Grid in the Tanzu Kubernetes Grid v1.6 documentation.
  • Tanzu CLI v0.28.1 with compatible plugins and kubectl installed on both Linux machines. See Install the CLI and Other Tools.

    • Run tanzu version to check that you are running a v2.1 version of tanzu. Tanzu Kubernetes Grid v2.1.1 uses Tanzu CLI v0.28.1, based on Tanzu Framework v0.28.1.
    • Run kubectl version to check that you are running the kubectl version listed in the Tanzu Kubernetes Grid downloads page for your v1.6.x version.
    • Run tanzu plugin list to confirm v0.28.1 versions of the plugins management-cluster, cluster, login, kubernetes-release, package, and pinniped-auth.
    • For the offline machine, download, transfer, and install the Tanzu CLI bundle and other software following your usual process for that machine.
  • To work around a known issue with CAPA, set EXP_EXTERNAL_RESOURCE_GC=false in your local environment or in the management cluster configuration file.

Step 1: Copy the Images

From your internet-connected machine, use the isolated-cluster plugin to copy the container images used by TKG into your offline registry, following the steps starting with Step 1: Install the Isolated Cluster Plugin on the Online Machine in Prepare an Internet-Restricted Environment

Step 2: Upgrade Standalone Management Clusters

To upgrade Tanzu Kubernetes Grid with a standalone management cluster, you must first upgrade all the management clusters in your deployment. You cannot upgrade workload clusters until you have upgraded their management clusters.

To upgrade the standalone management clusters in an internet-restricted AWS environment:

  1. Set the following environment variables so the Tanzu CLI can access your private image registry and know which region and zone to deploy to. Find the access key settings in your ~/.aws/config file.

     export AWS_REGION=
     export AWS_NODE_AZ=
     export AWS_ACCESS_KEY_ID=
     export AWS_SSH_KEY_NAME=
  2. Follow the procedure in Upgrade Management Clusters.

Step 3: Upgrade Workload Clusters

To upgrade the workload clusters in an internet-restricted AWS environment, follow the procedure in Upgrade Workload Clusters.

What to Do Next

You can now continue to use the Tanzu CLI to manage your clusters and run your applications with the new version of Kubernetes in your internet-restricted environment.

check-circle-line exclamation-circle-line close-line
Scroll to top icon