You can connect to any cluster node as the vmware-system-user using a password to troubleshoot a Tanzu Kubernetes cluster. You can provide the password over SSH or using the virtual machine console.

You can connect to a cluster node as the vmware-system-user user with a password. The password is stored as a secret named CLUSTER-NAME-ssh-password. The password is base64 encoded in .data.ssh-passwordkey. You can provide over an SSH session, or by accessing the virtual machine's console using the vSphere Client. For more information about this secret, see Tanzu Kubernetes Cluster Secrets.


Connect to the Supervisor Cluster. See Connect to a Tanzu Kubernetes Cluster as a vCenter Single Sign-On User.


  1. Switch context to the Supervisor Namespace where the Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context NAMESPACE
  2. View the secret.
    kubectl get secrets
  3. Get the password for the target cluster, decode it, and write it to a local file.
    kubectl get secret CLUSTER-NAME-ssh-password -o jsonpath='{.data.ssh-passwordkey}' | base64 -d > tkg-cluster-password
    Note: The credential to decrypt the password is Base64 encoded. On Linux use -d to decode it. On Mac use -D.
    The command writes the password to a local file named tkg-cluster-password.
  4. Get the IP address of the target cluster node virtual machine.
    kubectl get virtualmachines
  5. Log in to the target virtual machine node remotely using SSH, or by using the web console.
    Option Description
    Log in using SSH
    1. Run a shell or terminal session.
    2. Run the following command:
      ssh vmware-system-user@NODE-IP-ADDRESS
    3. Enter the password at the prompt.
    Log in using the Web Console
    1. Log in to the vCenter Server using the vSphere Client.
    2. Select Menu > VMs and Templates.
    3. Locate the virtual machine in the vSphere inventory.
    4. Click Launch Web Console and select OK.
    5. Enter the user name vmware-system-user at the prompt.
    6. Enter the password at the prompt.