This topic provides an overview of packages you can install and configure on workload clusters in Tanzu Kubernetes Grid.


To associate versions of Tanzu Kubernetes Grid (TKG) with the versions of the Tanzu Standard package repository that they work with, see TKG, Tanzu CLI Plugin, and Tanzu Standard Package Repo Versions.

Installing a package on a workload cluster created by Tanzu Kubernetes Grid adds a functionality to the cluster. This functionality typically provides services to the workloads that the cluster hosts. For example, the Antrea package provides the Antrea container network interface (CNI), the Contour package ingress control services, the Harbor package a private container registry, and so on. Some packages support the operation of the cluster itself.

Internally, a package consists of configuration metadata and image references that inform the package manager what software the package contains and how to install it into a Kubernetes cluster. Packages are grouped into package repositories. Some packages are enabled in clusters automatically while others are installed explicitly by using the Tanzu CLI. For more information about how packages and package repositories are implemented in Tanzu Kubernetes Grid, see Carvel API Resources below.

Types of Packages

Tanzu Kubernetes Grid includes the following types of packages:

  • Auto-managed packages. These packages are installed and upgraded automatically by Tanzu Kubernetes Grid. See the Auto-Managed Packages section below.
  • CLI-managed packages. These packages are installed and upgraded explicitly by using the Tanzu CLI. Located in the tanzu-standard package repository or in other repositories that you add to your clusters. See the CLI-Managed Packages section below.

Auto-Managed Packages

These packages are typically required for basic cluster functionality. Tanzu Kubernetes Grid installs and upgrades them automatically when you create and upgrade a Kubernetes cluster.


The tanzu package CLI plugin is intended only for CLI-managed packages. Do not use the tanzu package CLI plugin to install and manage auto-managed packages. Their lifecycle is managed by Tanzu Kubernetes Grid.

See View and Customize Auto-Managed Package Configuration for how to view and update auto-managed package configuration.

Installation and Version Updates

Tanzu Kubernetes Grid manages the lifecycle of auto-managed packages. This includes automatic package installation and version updates.

Auto-managed packages are installed during cluster creation. To determine which auto-managed packages to install in a workload cluster, Tanzu Kubernetes Grid reads the Tanzu Kubernetes release that is used to create the cluster and cluster-specific configuration information. When you upgrade a workload cluster, as part of the upgrade process, Tanzu Kubernetes Grid updates the versions of the auto-managed packages that are installed in the cluster.

List of Auto-Managed Packages

The table below lists the auto-managed packages that TKG installs and what types of clusters they are installed in.

Auto-managed packages are installed from the tanzu-core repository and run in the following namespace, depending on TKG deployment type:

  • Supervisor namespace: vmware-system-tkg
  • Standalone management cluster namespace: tkg-system
Package Installed in (with Supervisor) Installed in (with standalone management cluster) Description
ako-operator Not installed Management (vSphere with NSX ALB only) Provides VMware NSX Advanced Load Balancer. This package is installed if NSX Advanced Load Balancer is enabled.
antrea Workload Management and workload Enables pod networking and enforces network policies for Kubernetes clusters. Installed by default, unless Calico is selected as the CNI provider.
calico Workload Management and workload Enables pod networking and enforces network policies for Kubernetes clusters. Installed if Calico is selected as the CNI provider. Not supported on Windows.
capabilities Workload Workload Enables the Capabilities API. A "capability" is anything a Kubernetes cluster can do or have, such as objects, and the API surface area. Capability discovery can be used to answer questions such as "is this a TKG cluster?" or "does this cluster have a resource X?", and so on.
guest-cluster-auth-service Workload Not installed Manages vSphere single sign-on (SSO), which enables vSphere SSO users to access the target workload cluster
kapp-controller Workload Management and workload Manages packages.
load-balancer-and-ingress-service (AKO) Not installed Management and workload (vSphere with NSX ALB only) Provides L4+L7 load balancing for applications running in clusters created by Tanzu Kubernetes Grid; used for north-south traffic. This package is installed if NSX Advanced Load Balancer is enabled.
metrics-server Workload Management and workload Provides Metrics Server
pinniped Workload Management and workload Provides user authentication. Installed only if an identity provider is configured. Can be installed in a standalone management cluster after it is already created; see Enable and Configure Identity Management in an Existing Deployment.
secretgen-controller Workload Workload Enables carvel-secretgen-controller
tanzu-addons-manager Management Management Manages the lifecycle of tanzu-core packages.
tkg-pkg Not installed Management Installs tanzu-addons-manager, tkr-source-controller, ClusterClass definitions, and other components that TKG standalone management clusters require.
vsphere-cpi Workload Management and workload Provides the vSphere Cloud Provider Interface
vsphere-pv-csi Workload Not installed Provides the vSphere Cloud Storage Interface

CLI-Managed Packages

CLI-managed packages extend Kubernetes clusters created by Tanzu Kubernetes Grid. After creating a cluster, you can install packages from the tanzu-standard package repository or from other package repositories that you add to the cluster.

For a list of CLI-managed packages, the package repositories where they are published, and how to install them, see Installing and Using VMware Tanzu Packages.

Carvel API Resources

To make packages available in Kubernetes clusters, Tanzu Kubernetes Grid creates the following API resources in the target cluster:

  • PackageRepository, or pkgr, represents a single package repository. It points kapp-controller, a package manager, to the package repository that is defined in the resource. A package repository contains Package and PackageMetadata resources. After a PackageRepository is created in your target cluster, kapp-controller can install any of the packages that the package repository contains. This API resource is used only for CLI-managed packages.
  • Package, or pkg, contains version-specific information about a given package and defines how to install the package. kapp-controller uses the Package resource when installing the package.
  • PackageMetadata, or pkgm, contains version-agnostic information about a given package.
  • PackageInstall, or pkgi, represents an installed package in your target cluster. It also references the Package resource that was used to install the package.

You can list and view these resources by using the kubectl api-resources and kubectl get commands. For more information about the Carvel API resources, see Packaging in the Carvel documentation.

check-circle-line exclamation-circle-line close-line
Scroll to top icon