After you have provisioned a TKG cluster, it is good practice to deploy a test workload and validate cluster functionality.
Deploy a test app to verify that your TKG cluster is up and running.
Prerequisites
- Provision a TKG cluster.
- Connect to the TKG cluster.
Procedure
- Provision a TKG cluster.
- Log in to Supervisor using kubectl.
kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME>
- Switch configuration context to the vSphere Namespace where the TKGS cluster is provisioned.
kubectl config use-context VSPHERE-NAMESPACE
- Log in to the target TKG cluster.
kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME> \ --tanzu-kubernetes-cluster-name CLUSTER-NAME \ --tanzu-kubernetes-cluster-namespace NAMESPACE-NAME
- Create the file
ping-pod.yaml
with the following contents.apiVersion: v1 kind: Pod metadata: name: ping-pod namespace: default spec: containers: - image: busybox:1.34 name: busybox command: ["ping", "-c"] args: ["1", "8.8.8.8"] imagePullSecrets: - name: regcred restartPolicy: Never
- Create the
regcred
registry credential.The container image used for this scenario (busybox) is pulled from the public Docker Hub registry, which may restrict image pulls. If so you will need a Docker Hub account and an image pull secret ("regcred") referenced in the pod spec. To create this secret, see Create Private Registry Credential Secret. - Configure pod security, as necessary.
If you are using TKG release v1.24 or earlier, proceed with the next step and create the pod.If you are using TKG release v1.25, PSA warnings are enabled. You can proceed with the next step and create the pod. However, note that you will receive a warning about pod security violations, which you can ignore.
Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "busybox" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
If you are using TKG release v1.26 or later, PSA restrictions are enforced. If you attempt to create the pod as shown in the next step, it will fail with the following error.Error from server (Forbidden): error when creating "ping-pod.yaml": pods "ping-pod" is forbidden: violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "busybox" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
To fix this, run the following command on thedefault
namespace where the pod is created. Be aware that by doing this you are removing PSA restrictions on the namespace.kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
Alternatively, you can apply securityContext directly to the pod, for example:... spec: containers: - image: busybox:1.34 name: busybox command: ["ping", "-c"] args: ["1", "8.8.8.8"] securityContext: allowPrivilegeEscalation: false capabilities: drop: ["ALL"] runAsNonRoot: true runAsUser: 1000 seccompProfile: type: "RuntimeDefault" ...
- Apply the YAML.
kubectl apply -f ping-pod.yaml
Expected result:pod/ping-pod created
- Check that the pod completed successfully.
kubectl get pods -n default
NAME READY STATUS RESTARTS AGE ping-pod 0/1 Completed 0 13s
- Verify that the pod pinged the DNS server.
kubectl logs ping-pod -f
Expected result:PING 8.8.8.8 (8.8.8.8): 56 data bytes 64 bytes from 8.8.8.8: seq=0 ttl=106 time=33.352 ms --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 33.352/33.352/33.352 ms
- Delete the pod.
kubectl delete -f ping-pod.yaml
- Verify that the pod is deleted.
kubectl get pods