The Supervisor Cluster is the management plane for Tanzu Kubernetes clusters provisioned by the Tanzu Kubernetes Grid Service. The tenancy model is enforced using a Supervisor Namespace where Tanzu Kubernetes clusters reside.

Supervisor Cluster

The Supervisor Cluster provides the management layer on which Tanzu Kubernetes clusters are built. The Tanzu Kubernetes Grid Service is a custom controller manager with a set of controllers that is part of the Supervisor Cluster. The purpose of the Tanzu Kubernetes Grid Service is to provision Tanzu Kubernetes clusters.

While there is a one-to-one relationship between the Supervisor Cluster and the vSphere cluster, there is a one-to-many relationship between the Supervisor Cluster and Tanzu Kubernetes clusters. You can provision multiple Tanzu Kubernetes clusters within a single Supervisor Cluster. The workload management functionality provided by the Supervisor Cluster gives you control over the cluster configuration and lifecycle, while allowing you to maintain concurrency with upstream Kubernetes.

For more information, see Configuring a Supervisor Cluster.

Supervisor Namespace

You deploy one or more Tanzu Kubernetes clusters to a Supervisor Namespace. Resource quotas and storage policy are applied to a Supervisor Namespace and inherited by the Tanzu Kubernetes clusters deployed there.

When you provision a Tanzu Kubernetes cluster, a resource pool and VM folder are created in the Supervisor Namespace. The Tanzu Kubernetes cluster control plane and worker node VMs are placed within this resource pool and VM folder. Using the vSphere Client, you can view this hierarchy using by selecting the Hosts and Clusters perspective, and also by selecting the VMs and Templates view.

For more information, see Working with Namespaces on a Supervisor Cluster.

Content Library

A vSphere Content Library provides the virtual machine template used to create the Tanzu Kubernetes cluster nodes. For each Supervisor Cluster where you intend to deploy a Tanzu Kubernetes cluster, you must define a Subscribed Content Library object that sources the OVA used by the Tanzu Kubernetes Grid Service to build cluster nodes. The same Subscribed Content Library can be configured for multiple Supervisor Clusters. There is no relationship between the Subscribed Content Library and the Supervisor Namespace.

For more information, see Create a Subscribed Content Library for Tanzu Kubernetes Clusters.

Cluster Security

A Tanzu Kubernetes cluster is secure by default. Restrictive PodSecurityPolicy (PSP) is available for any Tanzu Kubernetes cluster provisioned by the Tanzu Kubernetes Grid Service. If developers need to run privileged pods or root containers, at a minimum a cluster administrator must create a RoleBinding that grants user access to the default privileged PSP. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.

A Tanzu Kubernetes cluster does not have infrastructure credentials. The credentials that are stored within a Tanzu Kubernetes cluster are only sufficient to access the Supervisor Namespace where the Tanzu Kubernetes cluster has tenancy. As a result, there is no privilege escalation avenue for cluster administrators or users.

Authentication tokens used to access a Tanzu Kubernetes cluster are scoped such that they cannot be used to access the Supervisor Cluster. This prevents a cluster administrator, or someone who might compromise a cluster, from using his or her root-level access to capture a vSphere administrator's token when he or she logs in to a Tanzu Kubernetes cluster.