Upgrading Tanzu Kubernetes Grid

To upgrade Tanzu Kubernetes Grid (TKG), you download and install the new version of the Tanzu CLI on the machine that you use as the bootstrap machine. You must also download and install base image templates in vSphere.

In the TKG upgrade path, v2.5 immediately follows v2.4.

After you have installed the new versions of the components, you use the tanzu mc upgrade and tanzu cluster upgrade CLI commands to upgrade management clusters and workload clusters.

The next sections are the overall steps required to upgrade Tanzu Kubernetes Grid. This procedure assumes that you are upgrading to Tanzu Kubernetes Grid v2.5.0.

Some steps are only required if you are performing a minor upgrade from Tanzu Kubernetes Grid v2.4.x to v2.5.x and are not required if you are performing a patch upgrade from Tanzu Kubernetes Grid v2.5.x to v2.5.y.


Tanzu Kubernetes Grid v2.5 does not support upgrading existing standalone TKG management clusters and TKG workload clusters on AWS and Azure. For more information, see End of Support for TKG Management and Workload Clusters on AWS and Azure in the VMware Tanzu Kubernetes Grid v2.5 Release Notes.


Before you upgrade to TKG v2.5.x, ensure that your current deployment is TKG v2.4.x or an earlier v2.5 version. To upgrade to TKG v2.5.x from versions earlier than v2.4, you must first upgrade to v2.4.x with a v2.4.x of the Tanzu CLI.

Check Your TKG Version

If you are not sure which version of TKG is running in your management cluster, you can extract the version from the management cluster object.

  1. Run the tanzu context use command to see an interactive list of management clusters available for upgrade.

    tanzu context use
  2. Select the management cluster that you want to check.

  3. Get the admin credentials of the cluster. The Tanzu CLI alias mc is short for management-cluster.

    tanzu mc kubeconfig get --admin
  4. Connect kubectl to the management cluster.

    kubectl config use-context MGMT-CLUSTER-NAME-admin@MGMT-CLUSTER-NAME.

    You can copy the exact command, including the name of the management cluster context, from the output of the tanzu mc kubeconfig get --admin command that you ran in the preceding step.

  5. Run the kubectl get cluster command to extract the TKG version.

    kubectl get cluster MGMT-CLUSTER-NAME -n tkg-system -o yaml | grep TKGVERSION

    The output will show the version of TKG running in your management cluster, for example:

    TKGVERSION: v2.4.0

Download and Install the New Version of the Tanzu CLI

This step is required for both major v2.4.x to v2.5.x and patch v2.5.x to v2.5.y upgrades.

To download and install the new version of the Tanzu CLI and plugins, perform the following steps.

  1. Delete the ~/.config/tanzu/tkg/compatibility/tkg-compatibility.yaml file.

    If you do not delete this file, the new version of the Tanzu CLI will continue to use the Bill of Materials (BOM) for the previous release. Deleting this file causes the Tanzu CLI to pull the updated BOM. You must perform this step both when upgrading from 2.4.x to 2.5.x, and when upgrading from 2.5.x to 2.5.y.

  2. Follow the instructions in Install the Tanzu CLI and Kubernetes CLI for Use with Standalone Management Clusters to download and install the Tanzu CLI and plugins and kubectl on the machine where you currently run your tanzu commands. If any of your standalone management clusters are configured to use an LDAP identity provider, perform the steps in (LDAP Only) Update LDAP Settings after installing Tanzu CLI and before updating your CLI plugins to Tanzu Kubernetes Grid v2.5.

  3. Make sure to run tanzu plugin install to install the current --vmware-tkg plugin group.
  4. After you install the new version of the Tanzu CLI and plugins, run tanzu version to check that the correct version of the Tanzu CLI is properly installed. For a list of CLI versions compatible with Tanzu Kubernetes Grid v2.5, see Product Interoperability Matrix.
  5. After you install kubectl, run kubectl version to check that the correct version of kubectl is properly installed.

For information about Tanzu CLI commands and options that are available, see the Tanzu CLI Command Reference.

Import New Base Image Templates into vSphere

Before you can upgrade a Tanzu Kubernetes Grid deployment, you must import into vSphere new versions of the base image templates that the upgraded management and workload clusters will run. VMware publishes base image templates in OVA format for each supported OS and Kubernetes version. After importing the OVAs, you must convert the resulting VMs into VM templates. This step is required for both major v2.4.x to v2.5.x and patch v2.5.x to v2.5.y upgrades.

This procedure assumes that you are upgrading to Tanzu Kubernetes Grid v2.5.x.

  1. Go to the Tanzu Kubernetes Grid downloads page and log in with your VMware Customer Connect credentials.
  2. Download the latest Tanzu Kubernetes Grid OVAs for the OS and Kubernetes version lines that your management and workload clusters are running. For Kubernetes v1.28, TKG supports Ubuntu 22.04 and Photon 5, and for Kubernetes v1.27, TKG supports Ubuntu 20.04 and 22.04 and Photon 3 and 5.

    For example, for Photon images:

    • Kubernetes v1.28.4: Photon v5 Kubernetes v1.28.4 OVA
    • Kubernetes v1.27.8: Photon v3 Kubernetes v1.27.8 OVA
    • Kubernetes v1.26.11: Photon v3 Kubernetes v1.26.11 OVA

    For Ubuntu images:

    • Kubernetes v1.28.4: Ubuntu 2204 Kubernetes v1.28.4 OVA
    • Kubernetes v1.27.8: Ubuntu 2004 Kubernetes v1.27.8 OVA
    • Kubernetes v1.26.11: Ubuntu 2004 Kubernetes v1.26.11 OVA

    Make sure you download the most recent OVA base image templates in the event of security patch releases. You can find updated base image templates that include security patches on the Tanzu Kubernetes Grid product download page.

  3. In the vSphere Client, right-click an object in the vCenter Server inventory and select Deploy OVF template.
  4. Select Local file, click the button to upload files, and navigate to a downloaded OVA file on your local machine.
  5. Follow the installer prompts to deploy a VM from the OVA.

    • Accept or modify the appliance name.
    • Select the destination datacenter or folder.
    • Select the destination host, cluster, or resource pool.
    • Accept the end user license agreements (EULA).
    • Select the disk format and destination datastore.
    • Select the network for the VM to connect to.
  6. Click Finish to deploy the VM.
  7. When the OVA deployment finishes, right-click the VM and select Template > Convert to Template.
  8. In the VMs and Templates view, right-click the new template, select Add Permission, and assign your Tanzu Kubernetes Grid user, for example, tkg-user, to the template with the Tanzu Kubernetes Grid role, for example, TKG. You created this user and role in Prepare to Deploy Management Clusters to vSphere.

Repeat the procedure for each of the Kubernetes versions for which you have downloaded the OVA file.

VMware Cloud on AWS SDDC Compatibility

If you are upgrading workload clusters that are deployed on VMware Cloud on AWS, verify that the underlying Software-Defined Datacenter (SDDC) version used by your existing deployment is compatible with the version of Tanzu Kubernetes Grid you are upgrading to.

To view the version of an SDDC, select View Details on the SDDC tile in VMware Cloud Console and click on the Support pane.

To validate compatibility with Tanzu Kubernetes Grid, refer to the VMware Product Interoperablity Matrix.

Upgrade Standalone Management Clusters

This step is only required for TKG with a standalone management cluster. If you are running TKG with a vSphere with Tanzu Supervisor, you upgrade the Supervisor as part of vSphere and update the Supervisor’s Kubernetes version by upgrading its TKrs.

This step is required for both major v2.4.x to v2.5.x and patch v2.5.x to v2.5.y upgrades.

To upgrade Tanzu Kubernetes Grid, you must upgrade all management clusters in your deployment. You cannot upgrade workload clusters until you have upgraded the management clusters that manage them.

Follow the procedure in Upgrade Standalone Management Clusters to upgrade your management clusters.

Upgrade Workload Clusters

This step is required for both major v2.4.x to v2.5.x and patch v2.5.x to v2.5.y upgrades.

Follow the procedure in Upgrade Workload Clusters to upgrade the workload clusters that are running your workloads.

Post-Upgrade Operations

After you have upgraded your clusters, there are additional steps to perform to complete the upgrade process.

Sync Package Versions Older Than n-2

Some packages that are installed by default in the management cluster, for example, cert-manager can be installed as CLI-managed packages in workload and the shared services clusters. When the management cluster is upgraded to the latest Tanzu Kubernetes Grid release, its default packages are automatically updated.

You can run different versions of the CLI-managed packages in different workload clusters. In a workload cluster, you can run either the latest supported version of a CLI-managed package or the package’s versions in your last two previously-installed versions of Tanzu Kubernetes Grid. For example, if the latest packaged version of cert-manager is v1.11.1 and your previous two Tanzu Kubernetes Grid installations ran cert-manager v1.10.1 and v1.7.2, then you can run cert-manager versions v1.11.1, v1.10.1, and v1.7.2 in workload clusters.

For any workload clusters that are running package versions that are more than n-2 installed Tanzu Kubernetes Grid versions older than the package versions in the management cluster, you must update the package repository (See Update a Package Repository) and then upgrade the package in the workload clusters (See Update a Package). If you do not upgrade the package version, you will not be able to update the package configuration because the package repository might not include over n-2 older version of the package.

Upgrade NSX Advanced Load Balancer Configuration After Tanzu Kubernetes Grid Upgrade

If NSX ALB was not enabled in your TKG v2.4 installation, see Install and Configure NSX Advanced Load Balancer for information on how to install NSX ALB.

If NSX ALB was enabled in your TKG v2.4 installation, see the Tanzu Kubernetes Grid v2.5 Release Notes for which Avi Controller versions are supported in this release, and if needed upgrade the Avi Controller to a compatible version. For how to upgrade the Avi Controller, see Flexible Upgrades for Avi Vantage.

What to Do Next

Examine your upgraded management clusters or register them in Tanzu Mission Control. See Examine and Register a Newly-Deployed Standalone Management Cluster.

check-circle-line exclamation-circle-line close-line
Scroll to top icon