The topics in this section explain how to configure workload clusters and use the Tanzu CLI to create the clusters.
In VMware Tanzu Kubernetes Grid, workload clusters are the Kubernetes clusters in which your application workloads run.
Tanzu Kubernetes Grid automatically deploys clusters to the platform on which you deployed the management cluster. For example, you cannot deploy clusters to Amazon Web Services (AWS) or Azure from a management cluster that is running in vSphere, or the reverse. It is not possible to use shared services between the different providers because, for example, vSphere clusters are reliant on sharing vSphere networks and storage, while AWS and Azure use their own systems. Tanzu Kubernetes Grid automatically deploys clusters from whichever management cluster you have set as the context for the CLI.
You can create three types of workload clusters:
These workload cluster types are described in Workload Cluster Types.
You can deploy workload clusters with the Tanzu CLI after you have deployed a standalone management cluster to vSphere, AWS or Azure. You can also deploy workload clusters to vSphere with Tanzu on vSphere 8 if you have connected the Tanzu CLI to the vSphere with Tanzu Supervisor.
You can use the Tanzu CLI to deploy workload clusters to the following platforms:
Before starting the deployment workflow described in this section, ensure:
vSphere: If you are deploying workload clusters to vSphere, each cluster requires one static virtual IP address to provide a stable endpoint for Kubernetes. Make sure that this IP address is not in the DHCP range, but is in the same subnet as the DHCP range.
Mac OS Bootstrap Machine: If your bootstrap machine runs Mac OS and you deploy a workload cluster using thumbprint verification with a self-signed certificate, as set by configuring VSPHERE_INSECURE: false
and VSPHERE_TLS_THUMBPRINT
, add the vCenter certificate to the machine’s trust store:
From vSphere, download the vCenter certificate .pem file:
Double-click the downloaded file and add it to the MacOS system Keychain as a trusted certificate:
During the cluster deployment process, if MacOS pops up an alert message that the certificate is not trusted, change its policy to Always Trust:
Azure: If you are deploying workload clusters to Azure, each cluster requires a Network Security Group (NSG) for its worker nodes named CLUSTER-NAME-node-nsg
, where CLUSTER-NAME
is the name of the cluster. To use an existing VNet for the cluster, you must manually create these NSGs as described in Create Azure NSGs for Existing VNet.
To create a workload cluster with the Tanzu CLI, you:
Complete the prerequisites in Prerequisites for Cluster Deployment above.
Configure the cluster as described in Configuration Files and Object Specs and in the cluster configuration topic for your infrastructure:
Create the cluster as described in Create Workload Clusters.
To create workload clusters in other ways, without the Tanzu CLI, see:
kubectl
, see Provisioning TKG Clusters on Supervisor Declaratively Using Kubectl and YAML.Proceed to Configuration Files and Object Specs.