After you have provisioned a TKG cluster, it is good practice to deploy a test workload and validate cluster functionality.

Deploy a test app to verify that your TKG cluster is up and running.

Prerequisites

  • Provision a TKG cluster.
  • Connect to the TKG cluster.

Procedure

  1. Provision a TKG cluster.
    See Workflow for Provisioning TKG Clusters Using Kubectl.
  2. Log in to Supervisor using kubectl. 
    kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME>
  3. Switch configuration context to the vSphere Namespace where the TKGS cluster is provisioned. 
    kubectl config use-context VSPHERE-NAMESPACE
  4. Log in to the target TKG cluster. 
    kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME> \
--tanzu-kubernetes-cluster-name CLUSTER-NAME \
--tanzu-kubernetes-cluster-namespace NAMESPACE-NAME
  5. Create the file ping-pod.yaml with the following contents. 
    apiVersion: v1
kind: Pod
metadata:
  name: ping-pod
  namespace: default
spec:
  containers:
  - image: busybox:1.34
    name: busybox
    command: ["ping", "-c"]
    args: ["1", "8.8.8.8"]
  imagePullSecrets:
  - name: regcred
  restartPolicy: Never
  6. Create the regcred registry credential.
    The container image used for this scenario (busybox) is pulled from the public Docker Hub registry, which may restrict image pulls. If so you will need a Docker Hub account and an image pull secret ("regcred") referenced in the pod spec. To create this secret, see Create Private Registry Credential Secret.
  7. Configure pod security, as necessary.
    If you are using Tanzu Kubernetes release v1.24 or earlier, proceed with the next step and create the pod.
    If you are using Tanzu Kubernetes release v1.25, PSA warnings are enabled. You can proceed with the next step and create the pod. However, note that you will receive a warning about pod security violations, which you can ignore. 
    Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false 
(container "busybox" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    If you are using Tanzu Kubernetes release v1.26 or later, PSA restrictions are enforced. If you attempt to create the pod as shown in the next step, it will fail with the following error. 
    Error from server (Forbidden): error when creating "ping-pod.yaml": pods "ping-pod" is forbidden: 
violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false 
(container "busybox" must set securityContext.allowPrivilegeEscalation=false), 
unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), 
runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), 
seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    To fix this, run the following command on the default namespace where the pod is created. Be aware that by doing this you are removing PSA restrictions on the namespace. 
    kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
    Alternatively, you can apply securityContext directly to the pod, for example: 
    ...
spec:
  containers:
  - image: busybox:1.34
    name: busybox
    command: ["ping", "-c"]
    args: ["1", "8.8.8.8"]
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
        drop: ["ALL"]
      runAsNonRoot: true
      runAsUser: 1000
      seccompProfile:
        type: "RuntimeDefault"
...
  8. Apply the YAML. 
    kubectl apply -f ping-pod.yaml
    Expected result: 
    pod/ping-pod created
  9. Check that the pod completed successfully. 
    kubectl get pods -n default
    NAME       READY   STATUS      RESTARTS   AGE
ping-pod   0/1     Completed   0          13s
  10. Verify that the pod pinged the DNS server. 
    kubectl logs ping-pod -f
    Expected result: 
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=106 time=33.352 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 33.352/33.352/33.352 ms
  11. Delete the pod. 
    kubectl delete -f ping-pod.yaml
  12. Verify that the pod is deleted. 
    kubectl get pods