When you attach a cluster to your organization in VMware Tanzu Mission Control, the cluster agent service creates a namespace and installs a set of cluster agent extensions and custom resource definitions into your cluster. The cluster agent service and its extensions enable Tanzu Mission Control to communicate with your cluster (for example, to capture health information) and manage your cluster (for example, to enforce policies).
The extension manager is one of the extensions installed into your cluster when you attach it. The extension manager oversees any other extensions that the cluster agent installs into your cluster as a result of using the capabilities of Tanzu Mission Control. For example, when you run a conformance inspection on your cluster, the cluster agent installs an extension that runs Sonobuoy. For information about the resource consumption of the cluster agent extensions, see Memory and CPU Usage by Cluster Agent Extensions.
- Register the cluster with the Tanzu Mission Control service.
- Install the cluster agent extensions on the cluster.
- Verify the connection to confirm bilateral communication.
You must have
admin permissions on the cluster to install the cluster agent extensions, and the extension manager retains
admin permissions to make modifications to the cluster as necessary. The extensions that are subsequently installed by the extension manager have their own individual security profiles granting them only the permissions necessary to perform their function.
- On the cluster, you must have
cluster.adminpermissions to install the cluster agent extensions.
- In Tanzu Mission Control, you must be associated with the
clustergroup.editrole in a cluster group to attach a cluster.
- Cluster names must be unique within an organization.
- An attached cluster must belong to exactly one cluster group. For more information about cluster groups, see What is Tanzu Mission Control.
Outbound Connections Made by the Cluster Agent Extensions
When you attach a cluster, the cluster agent extensions running on the cluster make connections to Tanzu Mission Control URLs for outbound communications. Outbound connections made by the cluster agent extensions communicate with Tanzu Mission Control through port
443. If you have a proxy server that manages outbound traffic for your clusters, you need to add the following URLs to your proxy allowlist to enable the cluster to communicate with Tanzu Mission Control.
URLs in this domain include the Tanzu Mission Control service for your organization, as well as authentication, authorization, and other services.
This URL is required for logging in with the Tanzu Mission Control CLI. This is necessary only if you use the command-line interface from behind your proxy server.
You must also make sure that the proxy-related environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY) are defined for the cluster's environment.