As a platform operator or infrastructure operator, use the cluster inspection features of VMware Tanzu Mission Control to ensure that your Kubernetes clusters conform to a standard.

Through Tanzu Mission Control, you can run preconfigured cluster inspections using Sonobuoy to make sure your clusters conform to community standards.

For more information about testing for cluster conformance, see Cluster Inspections in VMware Tanzu Mission Control Concepts.

Note: The cluster inspection features of Tanzu Mission Control are not available in Tanzu Mission Control Essentials. Also, the CIS Benchmark inspection type is available only in Tanzu Mission Control Advanced.

About Conformance Inspections and Sonobuoy Permission Requirements

To run a Conformance inspection, Sonobuoy requires particular privileged permissions. When these permissions are restricted through native pod security policies or through a security policy implemented in Tanzu Mission Control, some tests in the Conformance inspection fail.

This behavior is seen in Tanzu Kubernetes clusters running in vSphere with Tanzu.

To prevent this kind of failure for the Conformance inspection, you can create a security policy on the cluster through Tanzu Mission Control that uses the Strict template and disables native pod security policies.

For more information about creating security policies in Tanzu Mission Control, see Create a Security Policy.

For more information about pod security policies in Tanzu Kubernetes clusters running in vSphere with Tanzu, see Using Pod Security Policies with Tanzu Kubernetes Clusters and Example Role Bindings for Pod Security Policy in vSphere with Tanzu Configuration and Management.