vSphere with Tanzu leverages vSphere security features and provisions Tanzu Kubernetes clusters that are secure by default.
vSphere with Tanzu is an add-on module to vSphere that is able to leverage the security features that are built into vCenter Server and ESXi. For more information, see the vSphere Security documentation.
The cluster data stored in the Supervisor Cluster database (etcd) is encrypted with a local encryption key file. The same is true for the database (etcd) that is installed on the control plane for each Tanzu Kubernetes cluster. The certificates are automatically renewed when you upgrade that cluster. You cannot manually rotate or update the certificates.
Starting from vSphere 7.0 Update 2, you can run confidential vSphere Pods in a Supervisor Cluster on AMD systems. You can create confidential vSphere Pods by adding Secure Encrypted Virtualization-Encrypted State (SEV-ES) as a security enhancement. For more information, see Deploy a Confidential vSphere Pod.
A Tanzu Kubernetes cluster is secure by default. Restrictive PodSecurityPolicy (PSP) is available for any Tanzu Kubernetes cluster provisioned by the Tanzu Kubernetes Grid Service. If developers need to run privileged pods or root containers, at a minimum a cluster administrator must create a RoleBinding that grants user access to the default privileged PSP. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.
A Tanzu Kubernetes cluster does not have infrastructure credentials. The credentials that are stored within a Tanzu Kubernetes cluster are only sufficient to access the vSphere Namespace where the Tanzu Kubernetes cluster has tenancy. As a result, there is no privilege escalation avenue for cluster operators or users.
The authentication tokens used to access Tanzu Kubernetes clusters are scoped such that the tokens cannot be used to access the Supervisor Cluster. This prevents cluster operators, or individuals who might try to compromise a cluster, from using their root-level access to capture a vSphere administrator's token when they log in to a Tanzu Kubernetes cluster.