Modify the Pinniped load balancer on an attached Kubernetes cluster running in a public cloud provider to enable kubeconfig access from Tanzu Mission Control.

As a platform operator, you can configure an attached cluster to allow users in your organization to connect to the cluster with kubectl.

When you attach a cluster, Tanzu Mission Control deploys Pinniped (an open source community standard) to support authentication into the cluster. By default, the Pinniped ingress load balancer is configured as private for the following types of clusters:
  • Amazon Elastic Kubernetes Service (EKS)
  • Azure Kubernetes Service (AKS)
  • Google Kubernetes Engine (GKE)

To access a cluster using the kubeconfig that you can generate through Tanzu Mission Control, you must have direct access to the private network on which it is running, because the load balancer is private by default.

This procedure describes how to update the configuration of the Pinniped load balancer to allow operators in your organization access to the cluster using the kubeconfig generated through Tanzu Mission Control.

Note: Use this approach judiciously. This procedure results in having a public cloud cluster with a public ingress load balancer. To minimize exposure, use this procedure only when other more secure approaches are not available.
This procedure is only necessary if all of the following are true:
  • The cluster is running in one of the public clouds listed above.
  • You have users in your organization that do not have direct access to the network on which the cluster is running.
  • Those users need to access the cluster using the kubeconfig generated by Tanzu Mission Control.
If the users in your organization that need kubectl access to the cluster have direct access to the network on which the cluster is running, then this procedure is not necessary.

For more information about generating a kubeconfig for an attached cluster, see Connect to a Managed Cluster with kubectl.

For more information about Pinniped, go to


This procedure assumes that you have already attached your Kubernetes cluster to Tanzu Mission Control, and that you have direct access to the cluster.

Make sure you have the appropriate permissions to enable access.
  • On the cluster, you must have admin permissions on the control plane to update the Pinniped configuration.


  1. Open a command window and set your kubectl context for the cluster.
  2. Edit the Pinniped configuration.
    1. Run the following kubectl command.
      kubectl edit credentialissuer cluster-auth-pinniped-config
    2. Locate the annotations section of spec.impersonationProxy.service.
      For example:
          mode: auto
    3. Remove the annotation that corresponds to public cloud provider that the cluster is running on.
      • GKE: Internal
      • AKS: "true"
      • EKS: "true"
    4. Save your changes.
  3. Delete the Pinniped service to force the cluster to restart it.
    kubectl delete services -n vmware-system-tmc cluster-auth-pinniped-impersonation-proxy-load-balancer
  4. Verify the new configuration
    1. Run the following command to confirm that the load balancer is now public.
      kubectl get services -n vmware-system-tmc
      The resulting output from this command should contain a line showing the Pinniped load balancer, that looks something like this:
      NAME                                                      TYPE           CLUSTER-IP     EXTERNAL-IP     PORT(S)         AGE
      cluster-auth-pinniped-impersonation-proxy-load-balancer   LoadBalancer   10.0.###.113   52.143.###.159   443:30520/TCP   2h
    2. Verify that the EXTERNAL-IP column contains a value.
    3. When you subsequently download the kubeconfig from Tanzu Mission Control, make sure the endpoint in the URL matches the one from the output of this command.