Create a proxy configuration in VMware Tanzu Mission Control that allows outbound traffic through the proxy that protects your managed clusters, specifically for Tanzu Kubernetes Grid Service clusters running in vSphere with Tanzu (vSphere 7.0.3a or later).

A proxy configuration identifies the proxy server for one or more clusters and the credentials required to authorize outbound traffic through it. When you create a proxy configuration object, you can use it when registering a Tanzu Kubernetes Grid Service Supervisor Cluster cluster running in vSphere with Tanzu or provisioning a workload cluster.

When you create a proxy configuration object to use with this type of cluster, you must identify certain subnets in the workload network of the Supervisor Cluster to exclude from proxying, in addition to identifying the proxy server.
  • In a proxy configuration object for workload clusters, make sure the No proxy list includes the CIDRs for pod, ingress, and egress from the workload network of the Supervisor Cluster, as well as *.svc and *.cluster.local.
  • In a proxy configuration object for the Supervisor Cluster, there are no specific requirements for the No proxy list.
  • You can optionally create a proxy configuration object to use with both a Supervisor Cluster and its workload clusters that includes the requirements for the workload clusters in the No proxy list.

Prerequisites

Log in to the Tanzu Mission Control console, as described in Log In to the Tanzu Mission Control Console.

Make sure you have the appropriate permissions to create a proxy configuration object.
  • To create a proxy configuration, you must be associated with the organization.credential.admin role.

Make sure your vSphere version is 7.0.3a or later.

You must configure a content library for the provisioner namespace on the Supervisor Cluster. For more information, see Configure a vSphere Namespace for Tanzu Kubernetes Releases in the vSphere with Tanzu Configuration and Management documentation.

You also need to locate the CIDRs for pod, ingress, and egress in the workload network of your Supervisor Cluster that you need for the No proxy list. For information about how to find these settings in your Supervisor Cluster, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha2 API in the vSphere with Tanzu Configuration and Management documentation.

Procedure

  1. In the left navigation pane of the Tanzu Mission Control console, click Administration.
  2. On the Administration page, click the Proxy Configuration tab.
  3. Click Create Proxy Configuration.
  4. On the Create proxy page, enter a name for the proxy configuration.
  5. You can optionally provide a description.
  6. Specify the URL or IP address of the proxy server, and the port on which outbound traffic is allowed.
  7. Enter the credentials (username and password) that permit outbound traffic through the proxy server.
  8. You can optionally enter an alternative server/port and username/password for HTTPS traffic.
  9. In No proxy list, you can optionally specify a comma-separated list of outbound destinations that must bypass the proxy server.
    For a Tanzu Kubernetes Grid Service workload cluster, make sure you add the requirements listed above to the No proxy list.
  10. Click Create.