As a vSphere administrator, you create a vSphere Namespace on the Supervisor Cluster. You set resources limits to the namespace and permissions so that DevOps engineers can access it. You provide the URL of the Kubernetes control plane to DevOps engineers where they can run Kubernetes workloads on the namespaces for which they have permissions.

Namespaces on Supervisor Clusters configured with the vSphere networking stack and namespaces on clusters configured with NSX-T Data Center have different networking configuration and capabilities.

Namespaces that you create on Supervisor Clusters configured with NSX-T Data Center support the full set of capabilities of the Workload Management platform. They support vSphere Pods, VMs, and Tanzu Kubernetes clusters. The workload networking support for these namespaces is provided by NSX-T Data Center. For more information, see System Requirements for Setting Up vSphere with Tanzu with NSX-T Data Center.

Namespaces that you create on a Supervisor Cluster configured with the vSphere networking stack only support Tanzu Kubernetes clusters and VMs, they do not support vSphere Pods and you cannot use the Harbor Registry with them. The workload networking support for these namespaces is provided by the vSphere Distributed Switch that is connected to the hosts part of the Supervisor Cluster. For more information, see System Requirements for Setting Up vSphere with Tanzu with vSphere Networking and HA Proxy Load Balancer.

You can also set resources limits to the namespace, assign permissions, and provision or activate the namespace service on a cluster as a template. As a result, DevOps engineers can create a Supervisor Namespace in a self-service manner and deploy workloads within it. For more information, see Provision a Self-Service Namespace Template.

Prerequisites

  • Configure a cluster with vSphere with Tanzu.
  • Create users or groups for all DevOps engineers who will access the namespace.
  • Create storage policies for persistent storage. Storage policies can define different types and classes of storage, for example, gold, silver, and bronze.
  • Create VM classes and content libraries for stand-alone VMs.
  • Create a content library for Tanzu Kubernetes releases for use with Tanzu Kubernetes clusters. See Creating and Managing Content Libraries for Tanzu Kubernetes releases.
  • Required privileges:
    • Namespaces.Modify cluster-wide configuration
    • Namespaces.Modify namespace configuration

Procedure

  1. From the vSphere Client home menu, select Workload Management.
  2. Click Namespaces and click New Namespace.
  3. Select the Supervisor Cluster where you want to place the namespace.
  4. Enter a name for the namespace.
    The name must be in a DNS-compliant format.
  5. From the Network drop-down menu, select a Workload Network for the namespace.
    Note: This step is available only if you create the namespace on a cluster that is configured with the vSphere networking stack.
  6. If you have configured the NSX-T Data Center networking stack for your cluster, you can select Override cluster network settings to override the cluster network settings and configure network settings for the namespace.
    Configure the following network settings for the namespace:
    Option Description
    NAT Mode The NAT mode is selected by default.
    If you deselect this option, all the workloads such as the vSphere Pods, VMs, and Tanzu Kubernetes clusters node IP addresses are directly accessible from outside the tier-0 gateway and you do not have to configure the egress CIDRs.
    Note: Once you enable a namespace mode, you cannot change it.
    Tier-0 Gateway Select the tier-0 gateway to associate with the namespace tier-1 gateway.

    Selecting a tier-0 gateway overrides the tier-0 gateway you configured while enabling the cluster, so you must configure the CIDR ranges again.

    If you select a VRF gateway that is linked to the tier-0 gateway, the network and subnets are automatically configured.

    If you have selected the NAT mode, you must configure the subnet, ingress, and egress CIDRs.

    If you deselect the NAT mode, you must only configure the subnet and ingress CIDRs.

    Note: Once you select a tier-0 gateway, you cannot change it.
    Namespace Network CIDR Enter one or more IP CIDRs to create subnets/segments and assign IP addresses for workloads connected to namespaces.
    Note: Enter the CIDR range if you did not configure it for the cluster. You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.
    Namespace Subnet Prefix Enter the subnet prefix that specifies the size of the subnet reserved for namespaces segments. Default is 28.
    Note: Once you specify the subnet prefix, you cannot change it.
    Ingress CIDR Enter a CIDR annotation that determines the ingress IP range for the virtual IP addresses published by the load balancer service for vSphere Pods or Tanzu Kubernetes clusters.

    You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.

    Egress CIDR Enter a CIDR annotation that determines the egress IP range for the SNAT IP addresses.

    You can configure additional CIDRs after you create the namespace, by editing the namespace network settings.

    Load balancer Size Select the size of the load balancer instance on the tier-1 gateway for the namespace.
  7. Enter a description, and click Create.
    The namespace is created on the Supervisor Cluster.
  8. Set permissions so that DevOps engineers can access the namespace.
    1. From the Permissions pane, select Add Permissions.
    2. Select an identity source, a user or a group, and a role, and click OK.
  9. Set persistent storage to the namespace.
    Storage policies that you assign to the namespace control how persistent volumes and Tanzu Kubernetes cluster nodes are placed within datastores in the vSphere storage environment. The persistent volume claims that correspond to persistent volumes can originate from a vSphere Pod, and VM, or from the Tanzu Kubernetes cluster. For more information, see Using Persistent Storage in vSphere with Tanzu.
    1. From the Storage pane, select Add Storage.
    2. Select a storage policy to control datastore placement of persistent volumes and click OK.
    After you assign the storage policy, vSphere with Tanzu creates a matching Kubernetes storage class in the vSphere Namespace. If you use VMware Tanzu™ Kubernetes Grid™ Service, the storage class is automatically replicated from the namespace to the Kubernetes cluster. When you assign multiple storage policies to the namespace, a separate storage class is created for each storage policy.
  10. From the Capacity and Usage pane, select Edit Limits and configure resource limitations to the namespace.
    Option Description
    CPU The amount of CPU resources to reserve for the namespace.
    Memory The amount of memory to reserve for the namespace.
    Storage The total amount of storage space to reserve for the namespace.
    Storage policies limits Set the amount of storage dedicated individually to each of the storage policies that you associated with the namespace.
    A resource pool for the namespace is created on vCenter Server. The storage limitation determines the overall amount of storage that is available to the namespace whereas storage polices determine the placement of persistent volumes for vSphere Pods on the associated storage classes.
  11. Set up VM Service for stand-alone VMs.
  12. Configure the namespace for Tanzu Kubernetes clusters, including the following:
    • Associate the Tanzu Kubernetes release content library with the namespace.
    • Add the default VM classes to the namespace.
    For more information, see Configure a vSphere Namespace for Tanzu Kubernetes releases.

What to do next

Share the Kubernetes Control Plane URL with DevOps engineers as well as the user name they can use to log in to the Supervisor Cluster through the Kubernetes CLI Tools for vSphere. You can grant access to more than one namespace to a DevOps engineer.