When provisioning a new cluster using VMware Tanzu Mission Control, you can provide additional options using the Advanced settings selector, such as security groups for Tanzu Kubernetes clusters running in AWS EC2, and Avi configuration for Tanzu Kubernetes clusters running in vSphere.

Depending on the platform that your management cluster is running on, you might have additional configuration options available.

Security Groups for Tanzu Kubernetes clusters running in AWS EC2

This feature is available for Tanzu Kubernetes Grid clusters version 1.5 or later running in Amazon Web Services.

When you create a new workload cluster in a Tanzu Kubernetes Grid management cluster running in AWS EC2, you can specify values for the following variables to use your own security group, rather than using the default security group.
  • AWS_SECURITY_GROUP_BASTION is the ID of a user-created security group used to control in-bound access to the bastion.
  • AWS_SECURITY_GROUP_CONTROLPLANE is the ID of a user-created security group used to control in-bound access to the control plane nodes. This group must allow access to port 6443.
  • AWS_SECURITY_GROUP_NODE is the ID of a user-created security group used to control in-bound access to all nodes.
  • AWS_SECURITY_GROUP_LB is the ID of a user-created security group used by the Kubernetes AWS Cloud Provider for setting rules for elastic load balancers (ELBs).
  • AWS_SECURITY_GROUP_APISERVER_LB is the ID of a user-created security group used for Kubernetes API Server ELB, and controls inbound access to the control plane endpoint.

Avi Kubernetes Operator Configuration for Clusters Running in vSphere

This feature is available for Tanzu Kubernetes Grid clusters version 1.6 or later running in vSphere.

When you create a new workload cluster in a Tanzu Kubernetes Grid management cluster running in vSphere, you can specify one or more label selectors to identify the Avi Kubernetes Operator (AKO) configuration that you want to use for the new cluster.

If you have a custom AKO configuration (AKODeploymentConfig, or ADC) defined in your management cluster, you can specify one or more values for AVI_LABELS that identify the ADC that you want to use in the new cluster.

Label selectors must be JSON-formatted, for example {"mykey":"myvalue"}. You can add multiple, comma-separated label selectors. If you add multiple label selectors, the ADC must have all specified labels to match. For more information about how label selectors work, see Policy-Driven Cluster Management in VMware Tanzu Mission Control Concepts.