When you attach a cluster to your organization in VMware Tanzu Mission Control, the cluster agent service creates a namespace and installs a set of cluster agent extensions and custom resource definitions into your cluster. The cluster agent service and its extensions enable Tanzu Mission Control to communicate with your cluster (for example, to capture health information) and manage your cluster (for example, to enforce policies).

The extension manager is one of the extensions installed into your cluster when you attach it. The extension manager oversees any other extensions that the cluster agent installs into your cluster as a result of using the capabilities of Tanzu Mission Control. For example, when you run a conformance inspection on your cluster, the cluster agent installs an extension that runs Sonobuoy. For information about the resource consumption of the cluster agent extensions, see Memory and CPU Usage by Cluster Agent Extensions.

The process of attaching a cluster involves three steps:
  1. Register the cluster with the Tanzu Mission Control service.
  2. Install the cluster agent extensions on the cluster.
  3. Verify the connection to confirm bilateral communication.

You must have admin permissions on the cluster to install the cluster agent extensions, and the extension manager retains admin permissions to make modifications to the cluster as necessary. The extensions that are subsequently installed by the extension manager have their own individual security profiles granting them only the permissions necessary to perform their function.

When you attach a cluster, be aware of the following:
  • On the cluster, you must have cluster.admin permissions to install the cluster agent extensions.
  • In Tanzu Mission Control, you must be associated with the clustergroup.edit role in a cluster group to attach a cluster.
  • Cluster names must be unique within an organization.
  • An attached cluster must belong to exactly one cluster group. For more information about cluster groups, see What is Tanzu Mission Control.

Outbound Connections Made by the Cluster Agent Extensions

When you attach a cluster, the cluster agent extensions running on the cluster make connections to Tanzu Mission Control URLs for outbound communications. Outbound connections made by the cluster agent extensions communicate with Tanzu Mission Control through port 443. If you have a proxy server that manages outbound traffic for your clusters, you need to add these URLs to your proxy allowlist to enable the cluster to communicate with Tanzu Mission Control.

  • *.tmc.cloud.vmware.com

    URLs in this domain include the Tanzu Mission Control service for your organization, as well as authentication, authorization, and other services.

  • vmware-docker-olympus-extensions.bintray.io

    This URL is a Bintray location from which Tanzu Mission Control retrieves the cluster agent extensions to deploy on your cluster.

You must also make sure that the proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY) are defined for the cluster's environment.