You can connect to the Tanzu Kubernetes cluster control plane as the kubernetes-admin user to perform administrative tasks and troubleshoot cluster problems.

A valid kubeconfig file for a provisioned Tanzu Kubernetes cluster is available on the Supervisor Cluster as a secret object named TKGS-CLUSTER-NAME-kubeconfig. You can use this secret to connect to the cluster control plane as the kubernetes-admin user. For more information, see Get Tanzu Kubernetes Cluster Secrets.


  1. Connect to the Supervisor Cluster. See Connect to the Supervisor Cluster as a vCenter Single Sign-On User.
  2. Switch context to the vSphere Namespace where the target Tanzu Kubernetes cluster is provisioned.
    kubectl config use-context VSPHERE-NAMESPACE
  3. View the secret objects in the namespace.
    kubectl get secrets
    The secret is named TKGS-CLUSTER-NAME-kubeconfig.
    kubectl config use-context tkgs-cluster-ns
    Switched to context "tkgs-cluster-ns".
    ubuntu@ubuntu:~$ kubectl get secrets
    NAME                                 TYPE                                  DATA   AGE
    tkgs-cluster-1-kubeconfig            Opaque                                1      23h
  4. Decode the secret by running the following command.
    The secret is Base64 encoded. To decode it: on Linux use base64 --decode (or base64 -d); on MacOS, use base64 --Decode (or base64 -D); on Windows, use an online tool.
    kubectl get secret TKGS-CLUSTER-NAME-kubeconfig -o jsonpath='{.data.value}' | base64 -d > tkgs-cluster-kubeconfig-admin
    This command decodes the secret and writes it to a local file named tkgs-cluster-kubeconfig-admin. Use the cat command to verify the file contents.
  5. Connect to the Tanzu Kubernetes cluster as the Kubernetes administrator using the decoded tkgs-cluster-kubeconfig-admin file.
    There are two options to do this:
    Option Description
    --kubeconfig <path\to\kubeconfig> Use the --kubeconfig flag and the path to the local kubeconfig file. For example, assuming the kubeconfig file is in the same directory where you are running the command: kubectl --kubeconfig tkgs-cluster-kubeconfig-admin get nodes
    KUBECONFIG Set your KUBECONFIG environment variable to point to the decoded kubeconfig file and run kubectl, such as kubectl get nodes.
    You should see the nodes in the cluster. For example:
    kubectl --kubeconfig tkgs-cluster-kubeconfig-admin get nodes
    NAME                                            STATUS   ROLES    AGE   VERSION
    tkgs-cluster-1-control-plane-4ncm4              Ready    master   23h   v1.18.5+vmware.1
    tkgs-cluster-1-control-plane-jj9gq              Ready    master   23h   v1.18.5+vmware.1
    tkgs-cluster-1-control-plane-r4hm6              Ready    master   23h   v1.18.5+vmware.1
    tkgs-cluster-1-workers-6njk7-84dd7f48c6-nz2n8   Ready    <none>   23h   v1.18.5+vmware.1
    tkgs-cluster-1-workers-6njk7-84dd7f48c6-rk9pk   Ready    <none>   23h   v1.18.5+vmware.1
    tkgs-cluster-1-workers-6njk7-84dd7f48c6-zzngh   Ready    <none>   23h   v1.18.5+vmware.1