vSphere with Tanzu leverages vSphere security features and provisions Tanzu Kubernetes clusters that are secure by default.
vSphere with Tanzu is an add-on module to vSphere that is able to leverage the security features that are built into vCenter Server and ESXi. For more information, see the vSphere Security documentation.
The Supervisor Cluster encrypts all secrets stored in the database (etcd). The secrets are encrypted via a local decryption key file, which is provided at boot by vCenter Server. The decryption key is stored in memory (tempfs) on the Supervisor Cluster nodes and on disk in encrypted form within vCenter Server database. The key is available in clear text to the root users of each system. Secrets held within the database of each workload cluster are stored in clear text. All etcd connections are authenticated with certificates that are generated at installation and rotated during upgrades. Manual rotation or updating of the certificates is currently not possible.
Starting from vSphere 7.0 Update 2, you can run confidential vSphere Pods in a Supervisor Cluster on AMD systems. You can create confidential vSphere Pods by adding Secure Encrypted Virtualization-Encrypted State (SEV-ES) as a security enhancement. For more information, see Deploy a Confidential vSphere Pod.
A Tanzu Kubernetes cluster is secure by default. Restrictive PodSecurityPolicy (PSP) is available for any Tanzu Kubernetes cluster provisioned by the Tanzu Kubernetes Grid Service. If developers need to run privileged pods or root containers, at a minimum a cluster administrator must create a RoleBinding that grants user access to the default privileged PSP. For more information, see Using Pod Security Policies with Tanzu Kubernetes Clusters.
A Tanzu Kubernetes cluster does not have infrastructure credentials. The credentials that are stored within a Tanzu Kubernetes cluster are only sufficient to access the vSphere Namespace where the Tanzu Kubernetes cluster has tenancy. As a result, there is no privilege escalation avenue for cluster operators or users.
The authentication tokens used to access Tanzu Kubernetes clusters are scoped such that the tokens cannot be used to access the Supervisor Cluster. This prevents cluster operators, or individuals who might try to compromise a cluster, from using their root-level access to capture a vSphere administrator's token when they log in to a Tanzu Kubernetes cluster.