Create and Configure a vSphere Namespace

As a vSphere administrator, you create a vSphere Namespace on the Supervisor Cluster. You set resources limits to the namespace and permissions so that DevOps engineers can access it. You provide the URL of the Kubernetes control plane to DevOps engineers where they can run Kubernetes workloads on the namespaces for which they have permissions.

Namespaces on Supervisor Clusters configured with the vSphere networking stack and namespaces on clusters configured with NSX have different networking configuration and capabilities.

Namespaces that you create on Supervisor Clusters configured with NSX-T Data Center support the full set of capabilities of the Workload Management platform. They support vSphere Pods, VMs, and Tanzu Kubernetes clusters. The workload networking support for these namespaces is provided by NSX. For more information, see System Requirements for Setting Up vSphere with Tanzu with NSX.

Namespaces that you create on a Supervisor Cluster configured with the vSphere networking stack only support Tanzu Kubernetes clusters and VMs, they do not support vSphere Pods and you cannot use the Harbor Registry with them. The workload networking support for these namespaces is provided by the vSphere Distributed Switch that is connected to the hosts part of the Supervisor Cluster. For more information, see System Requirements for Setting Up vSphere with Tanzu with vSphere Networking and HAProxy Load Balancer.

You can also set resources limits to the namespace, assign permissions, and provision or activate the namespace service on a cluster as a template. As a result, DevOps engineers can create a Supervisor Namespace in a self-service manner and deploy workloads within it. For more information, see Provision a Self-Service Namespace Template.

If you use NSX for your Supervisor Clusters, you have the option to override the networking settings on vSphere Namespace level. Have in mind the following considerations if you select that option:

Table 1. vSphere Namespace Network Planning Considerations
Consideration	Description
NSX Installation	To override Supervisor Cluster network settings for a particular vSphere Namespace, the NSX must include an Edge Cluster dedicated for Tier-0 Gateways (routers) and another Edge Cluster dedicated for Tier-1 Gateways. Refer to the NSX installation instructions provided in the guide Installing and Configuring vSphere with Tanzu.
IPAM Required	If you override Supervisor Cluster network settings for a particular vSphere Namespace, the new vSphere Namespace network must specify Ingress, Egress, and Namespace Network subnets that are unique for the Supervisor Cluster and from any other vSphere Namespace network. You will need to manage IP address allocation accordingly.
Supervisor Cluster Routing	The Supervisor Cluster must be able to route directly to the TKG cluster nodes and ingress subnets. When selecting a Tier-0 Gateway for the vSphere Namespace, you have two options for configuring the required routing: Use a Virtual Routing and Forwarding (VRF) Gateway to inherit the configuration from the Supervisor Cluster Tier-0 Gateway Use the Border Gateway Protocol (BGP) to configure routes between the Supervisor Cluster Tier-0 Gateway and the dedicated Tier-0 Gateway Refer to the NSX Tier-0 Gateways documentation for details on these options.

Prerequisites

Configure a cluster with vSphere with Tanzu.
Create users or groups for all DevOps engineers who will access the namespace.
Create storage policies for persistent storage. Storage policies can define different types and classes of storage, for example, gold, silver, and bronze.
Create VM classes and content libraries for stand-alone VMs.
Create a content library for Tanzu Kubernetes releases for use with Tanzu Kubernetes clusters. See Creating and Managing Content Libraries for Tanzu Kubernetes releases.
Required privileges:
- Namespaces.Modify cluster-wide configuration
- Namespaces.Modify namespace configuration

Procedure

From the vSphere Client home menu, select Workload Management.
Select the Namespaces tab.
Click Create Namespace.
Select the Supervisor Cluster where you want to place the namespace.
Enter a name for the namespace.
The name must be in a DNS-compliant format.
From the Network drop-down menu, select a Workload Network for the namespace.

Note: This step is available only if you create the namespace on a cluster that is configured with the vSphere networking stack.

If you have configured the NSX networking stack for your cluster, you can select Override cluster network settings to override the cluster network settings and configure network settings for the namespace.

Configure the following network settings for the namespace:

Option	Description
NAT Mode	The NAT mode is selected by default. If you deselect this option, all the workloads such as the vSphere Pods, VMs, and Tanzu Kubernetes clusters node IP addresses are directly accessible from outside the tier-0 gateway and you do not have to configure the egress CIDRs. Note: Once you enable a namespace mode, you cannot change it.
Tier-0 Gateway	Select the tier-0 gateway to associate with the namespace tier-1 gateway. Selecting a tier-0 gateway overrides the tier-0 gateway you configured while enabling the cluster, so you must configure the CIDR ranges again. Note: The Supervisor Cluster must be able to route directly to the TKG cluster nodes and ingress subnets. If you select a VRF gateway that is linked to the tier-0 gateway, the network and subnets are automatically configured. If you have selected the NAT mode, you must configure the subnet, ingress, and egress CIDRs. If you deselect the NAT mode, you must only configure the subnet and ingress CIDRs. Note: Once you select a tier-0 gateway, you cannot change it.
Namespace Network CIDR	Enter one or more IP CIDRs to create subnets/segments and assign IP addresses for workloads connected to namespaces. Note: Enter the CIDR range if you did not configure it for the cluster. You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.
Namespace Subnet Prefix	Enter the subnet prefix that specifies the size of the subnet reserved for namespaces segments. Default is 28. Note: Once you specify the subnet prefix, you cannot change it.
Ingress CIDR	Enter a CIDR annotation that determines the ingress IP range for the virtual IP addresses published by the load balancer service for vSphere Pods or Tanzu Kubernetes clusters. You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.
Egress CIDR	Enter a CIDR annotation that determines the egress IP range for the SNAT IP addresses. You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.
Load balancer Size	Select the size of the load balancer instance on the tier-1 gateway for the namespace.

Enter a description, and click Create.
The namespace is created on the Supervisor Cluster.
Set permissions so that DevOps engineers can access the namespace.
1. From the Permissions pane, select Add Permissions.
2. Select an identity source, a user or a group, and a role, and click OK.
Set persistent storage to the namespace.
Storage policies that you assign to the namespace control how persistent volumes and Tanzu Kubernetes cluster nodes are placed within datastores in the vSphere storage environment. The persistent volume claims that correspond to persistent volumes can originate from a vSphere Pod, and VM, or from the Tanzu Kubernetes cluster. For more information, see Using Persistent Storage in vSphere with Tanzu.
1. From the Storage pane, select Add Storage.
2. Select a storage policy to control datastore placement of persistent volumes and click OK.
After you assign the storage policy, vSphere with Tanzu creates a matching Kubernetes storage class in the vSphere Namespace. If you use VMware Tanzu™ Kubernetes Grid™ Service, the storage class is automatically replicated from the namespace to the Kubernetes cluster. When you assign multiple storage policies to the namespace, a separate storage class is created for each storage policy.

From the Capacity and Usage pane, select Edit Limits and configure resource limitations to the namespace.

Option	Description
CPU	The amount of CPU resources to reserve for the namespace.
Memory	The amount of memory to reserve for the namespace.
Storage	The total amount of storage space to reserve for the namespace.
Storage policies limits	Set the amount of storage dedicated individually to each of the storage policies that you associated with the namespace.

A resource pool for the namespace is created on vCenter Server. The storage limitation determines the overall amount of storage that is available to the namespace whereas storage polices determine the placement of persistent volumes for vSphere Pods on the associated storage classes.

Set up VM Service for stand-alone VMs.
For information, see Deploying and Managing Virtual Machines in vSphere with Tanzu.
Configure the namespace for Tanzu Kubernetes clusters, including the following:
- Associate the Tanzu Kubernetes release content library with the namespace.
- Add the default VM classes to the namespace.
For more information, see Configure a vSphere Namespace for Tanzu Kubernetes releases.

What to do next

Share the Kubernetes Control Plane URL with DevOps engineers as well as the user name they can use to log in to the Supervisor Cluster through the Kubernetes CLI Tools for vSphere. You can grant access to more than one namespace to a DevOps engineer. See Connecting to vSphere with Tanzu Clusters.