Intiate an inspection to verify the conformance of a cluster.

Cluster inspections in VMware Tanzu Mission Control are precofigured inspections that allow you to test the conformance of your clusters using Sonobuoy. For more information, see Cluster Inspections in VMware Tanzu Mission Control Concepts.

Prerequisites

This procedure assumes that you already have a cluster (either provisioned or attached) that you want to inspect for conformance.

Before you can perform cluster inspections through Tanzu Mission Control Self-Managed using the Conformance and Lite inspection types, you must first make the inspection images available to your self-managed deployment. For more information, see Copying Tanzu Standard and Inspection Images in Installing and Running VMware Tanzu Mission Control Self-Managed.

Make sure you have the appropriate permissions.
  • To run a cluster inspection, you must be associated with the cluster.edit role in the cluster.

Log in to the Tanzu Mission Control console.

Procedure

  1. In the left navigation pane of the Tanzu Mission Control console, click Cluster groups.
  2. Click the cluster group that contains the cluster you want to inspect, and then click the cluster.
  3. On the Overview tab of the cluster detail page, in the Inspection box, click Run Inspection.
  4. Make sure the correct cluster group and cluster are selected.
  5. Choose the type of inspection you want to run, and then click Run Inspection.
    For TKG Service clusters running Kubernetes version 1.26 or later, there is an additional requirement described below.

Results

When you click Run Inspection, the inspection starts and you are directed back to the cluster detail page that shows your inspection is running. When the inspection is complete, the result of the inspection is displayed in the Inspection box.

What to do next

For Tanzu Kubernetes Grid Service clusters with Kubernetes version 1.26 or later, running in vSphere with Tanzu, the Pod Security Admission (PSA) is set to enforce by default. As a result, inspections are unable to run until you add the required label to the namespace created during the inspection run.
To allow the inspection to run:
  1. After the inspection starts, retrieve the name of the image-pull-#### namespace that was created by the inspection.
    kubectl get ns | grep "image-pull"
  2. Apply the PSA label to the namespace.
    kubectl label ns image-pull-#### pod-security.kubernetes.io/enforce: privileged