You can SSH to a Tanzu Kubernetes cluster node as the vmware-system-user using a password.

You can connect to a cluster node as the vmware-system-user user with a password. The password is stored as a secret named CLUSTER-NAME-ssh-password. The password is base64 encoded in .data.ssh-passwordkey. You can provide the password over an SSH session. For more information about this secret, see Get Tanzu Kubernetes Cluster Secrets.


To route SSH connections to the appropriate workload network, deploy a Linux jump host VM in the vSphere environment where Workload Management is enabled. See Create a Linux Jump Host VM.
Note: This is a hard requirement if you want to connect to cluster nodes using SSH and you are using vDS networking, which does not support vSphere Pods. You can also use this approach with NSX-T networking if you prefer to use a password instead of a private key to connect over SSH.


  1. Get the IP address of the jump host VM, the username, and the password. See Create a Linux Jump Host VM.
  2. Connect to the Supervisor Cluster.
  3. Switch context to the vSphere Namespace where the target Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context VSPHERE-NAMESPACE
  4. Get the IP address of the target cluster node.
    List the nodes.
    kubectl get virtualmachines
    Describe the nodes to get the IP address of the target node.
    kubectl describe virtualmachines
  5. View the TKGS-CLUSTER-NAME-ssh-password secret.
    kubectl get secrets
  6. Get the ssh-passwordkey for the target cluster.
    kubectl get secrets TKGS-CLUSTER-NAME-ssh-password -o yaml
    The ssh-passwordkey is returned, for example.
    apiVersion: v1
      ssh-passwordkey: RU1pQllLTC9TRjVFV0RBcCtmd1zwOTROeURYSWNGeXNReXJhaXRBUllYaz0=
  7. Decode the ssh-passwordkey.
    The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --Decode (or base64 -D); on Windows, use an online tool.
    echo <ssh-passwordkey> | base64 --decode
  8. SSH to the target cluster node as the vmware-system-user.
    ssh vmware-system-user@TKGS-CLUSTER-NODE-IP-ADDRESS
  9. Log in using the password you decoded.