To use Tanzu Service Mesh, your environment must meet certain hardware, software, and networking requirements and use one of the supported platforms.

Workload Cluster Resource Requirements

To successfully onboard a cluster to Tanzu Service Mesh, you need sufficient resources to support the DaemonSets and the data plane components that Tanzu Service Mesh runs locally on the cluster. For a list of the components for the latest version of data plane, see the Data Plane Component Resource Requirements table.

Each of your Kubernetes clusters must meet the following resource requirements.
Table 1. Cluster Resource Requirements

Requirement

Value

Nodes

At the time of onboarding, the Tanzu Service Mesh data plane requires at least 3 nodes, each with at least 4,000 milliCPU (4 CPUs) of allocatable CPU and 6 GB of allocatable memory.

Note:
  • 0.1 CPU is equal to 100 milliCPU, or 100m. For more information about CPU resource units, see the Kubernetes documentation.

  • The Data Plane Component Resource Requirements table below breaks down these resource requirements by data plane component.

DaemonSets

The DaemonSets instantiate a pod on every node on the cluster. To run the DaemonSets, Tanzu Service Mesh requires that every node in the cluster have at least 250 milliCPU and 650 MB of memory available.

Ephemeral storage

24 GB for the whole cluster and additionally 1 GB for each node.

Pods

Tanzu Service Mesh requires a quota of at least 3 pods for each node on the cluster and additionally at least 30 pods for the whole cluster.

The Tanzu Service Mesh data plane components are distributed across the nodes, meaning the pods for these components can run on any node on the cluster. As stated in the Cluster Resource Requirements table, we recommend at least three nodes with 3 CPUs and 6 GB of memory available to run the data plane components.

For example, you are onboarding a cluster with 10 worker nodes to Tanzu Service Mesh. 3 of the worker nodes must have at least 3 CPUs and 6 GB of memory available to run the data plane components. Additionally, each of the worker nodes must have at least 250 milliCPU and 650 MB of memory available for the DaemonSets (see the resource requirements for DaemonSets in the Cluster Resource Requirements table).

Tanzu Service Mesh data plane version 4.0.0 or later reserves the specified resources for each of the following major data plane components.

Table 2. Data Plane Component Resource Requirements

Component

CPU

Memory

No. of Instances

Total CPU (CPU Reservation * No. of Instances)

Total Memory (Memory Reservation * No. of Instances)

istiod

500m

2 GiB

2

1,000m

4 GiB

telemetry

1100m

1128 MiB

2

2200m

2256 MiB

Ingress-gateway

100m

128 MiB

2

200m

256 MiB

Egress-gateway

100m

128 MiB

2

200m

256 MiB

Telegraf-istio

100m

500 MiB

1 instance per node in the cluster. For example, if the cluster has 5 nodes, Telegraf-istio requires 5 instances.

CPU value * No. of Instances

Memory value * No. of instances

Note:

This is not an exhaustive list of the Tanzu Service Mesh data plane components.

For the pods in the Data Plane Component Resource Requirements table to be successfully scheduled on a Kubernetes cluster, we recommend worker nodes with sufficiently large CPU and memory resources. See the resource requirements for nodes in the Workload Cluster Resource Requirements table. Clusters with worker nodes that do not meet these resource requirements might not have enough CPU or memory on individual nodes to schedule the istiod and telemetry pods due to existing pods and reservations.

Supported Istio Version

Tanzu Service Mesh supports Istio version 1.18.1. For details of the changes contained in Istio 1.18.1, see the Istio 1.18.1 release notes.

Supported Platforms

Your environment uses one of the following Kubernetes platforms with supported versions.

Platform

Platform Version

Kubernetes Version

VMware Tanzu® Kubernetes Grid™ Integrated Edition

1.18.1

1.27

1.17.3

1.26

1.16.6

1.25

VMware Tanzu® Mission Control™ (provisioned clusters)

N/A

All versions running on clusters

VMware Tanzu® Mission Control™ (attached clusters)

N/A

Kubernetes versions supported by Tanzu Kubernetes Grid Integrated Edition, VMware Tanzu Kubernetes Grid Service, VMware Tanzu Kubernetes Grid, or Amazon EKS depending on the platform of an attached cluster (see the corresponding rows in this table)

VMware Tanzu® Kubernetes Grid™ on vSphere 8

2.5.0

1.28, 1.27, 1.26

VMware vSphere® with VMware Tanzu®

VC8

1.27, 1.26, 1.25

Amazon EKS

N/A

1.29, 1.28, 1.27, 1.26, 1.25, 1.24

Azure Kubernetes Service (AKS)

N/A

1.29, 1.28, 1.27, 1.26

Anthos Google Kubernetes Engine (GKE)

N/A

1.29, 1.28, 1.27, 1.26

Connectivity Requirements

  • For workloads on your clusters to communicate with each other, the clusters must have network connectivity between each other.

  • Your clusters have Container Networking Interface (CNI) enabled.

  • Your clusters have role-based access control (RBAC) enabled.

  • The kubectl command-line tool is installed in your environment. For instructions on how to download, install, and set up kubectl, refer to the Kubernetes documentation.

  • Chrome browser version 74.x or later is installed.

  • The Tanzu Service Mesh client software on your clusters needs to communicate with Tanzu Service Mesh Software as a Service (SaaS), and Amazon Elastic Container Registry (ECR). Configure your firewall rules to allow your clusters to access the following domains on port 443:

    • prod-1.nsxservicemesh.vmware.com or prod-2.nsxservicemesh.vmware.com

    • *.prod-1-internal.nsxservicemesh.vmware.com or *.prod-2-internal.nsxservicemesh.vmware.com (for clusters onboarded before Tanzu Service Mesh version 1.10)

    • prod-1-internal.nsxservicemesh.vmware.com or prod-2-internal.nsxservicemesh.vmware.com (for clusters onboarded to Tanzu Service Mesh version 1.10 or later)

    • prod-ap-south-1-001.nsxservicemesh.vmware.com

    • prod-ap-south-1-001-internal.nsxservicemesh.vmware.com

    • public.ecr.aws/v6x6b8s5/

    • tsm-release.s3.us-west-2.amazonaws.com (for clusters onboarded before Tanzu Service Mesh version 1.10)

    • prod-us-west-2-starport-layer-bucket.s3.us-west-2.amazonaws.com

    • storage.googleapis.com

    Note:

    Depending on whether your organization uses the Tanzu Service Mesh prod-1 or prod-2 production environment, your clusters must have access to the corresponding prod-1 or prod-2 domains.

  • If you use a policy agent, such as Open Policy Agent (OPA), add the following to your trusted registries:

    • public.ecr.aws/v6x6b8s5/

  • An infrastructure load balancer (Kubernetes service type LoadBalancer) is deployed on your clusters. For example, VMware NSX Advanced Load Balancer (Avi Networks) or MetaLB can be used as a network load balancer.

Note:

Tanzu Service Mesh does not support the NodePort service type in Kubernetes.