What Happens When You Attach a Cluster

When you attach a cluster to your organization in VMware Tanzu Mission Control, the cluster agent service creates a namespace and installs a set of cluster agent extensions and custom resource definitions into your cluster. The cluster agent service and its extensions enable Tanzu Mission Control to communicate with your cluster (for example, to capture health information) and manage your cluster (for example, to enforce policies).

This attachment is required for all clusters that you manage through Tanzu Mission Control, including management clusters that you register with Tanzu Mission Control and their workload clusters (both pre-existing and provisioned), as well as the clusters that you create elsewhere and subsequently attach to Tanzu Mission Control.

The extension manager is one of the extensions installed into your cluster when you attach it. The extension manager oversees any other extensions that the cluster agent installs into your cluster as a result of using the capabilities of Tanzu Mission Control. For example, when you run a conformance inspection on your cluster, the cluster agent installs an extension that runs Sonobuoy. For information about the resource consumption of the cluster agent extensions, see Memory and CPU Usage by Cluster Agent Extensions.

The process of attaching a cluster involves three steps:

Register the cluster with the Tanzu Mission Control service.
Install the cluster agent extensions on the cluster.
Verify the connection to confirm bilateral communication.

You must have admin permissions on the cluster to install the cluster agent extensions, and the extension manager retains admin permissions to make modifications to the cluster as necessary. The extensions that are subsequently installed by the extension manager have their own individual security profiles granting them only the permissions necessary to perform their function.

When you attach a cluster, be aware of the following:

On the cluster, you must have cluster.admin permissions to install the cluster agent extensions.
In Tanzu Mission Control, you must be associated with the clustergroup.edit role in a cluster group to attach a cluster.
Cluster names must be unique within an organization.
An attached cluster must belong to exactly one cluster group. For more information about cluster groups, see What is Tanzu Mission Control.

Outbound Connections Made by the Cluster Agent Extensions

The cluster agent extensions running on the cluster make connections to Tanzu Mission Control URLs for outbound communications. This applies to Tanzu Kubernetes clusters that you register with Tanzu Mission Control as well as clusters that were created elsewhere and subsequently attached.

Outbound connections made by the cluster agent extensions communicate with Tanzu Mission Control through port 443. If you have a proxy server that manages outbound traffic for your clusters, you need to add the following URLs to your proxy allowlist to enable the cluster to communicate with Tanzu Mission Control.

```
*.tmc.cloud.vmware.com
```
URLs in this domain include the Tanzu Mission Control service for your organization, as well as authentication, authorization, the Tanzu Standard package repository, and other services.
```
console.cloud.vmware.com
```
This URL is required for logging in with the Tanzu Mission Control CLI. This is necessary only if you use the command-line interface from behind your proxy server.
```
registry.k8s.io
```
This URL is required for running inspections in Tanzu Mission Control.
```
wavefront.com
```
This URL is required for communication with Tanzu Observability.

You must also make sure that the proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY) are defined for the cluster's environment.