After you have provisioned a TKG cluster, it is good practice to deploy a test workload and validate cluster functionality.

Deploy a test app to verify that your TKG cluster is up and running.

Prerequisites

  • Provision a TKG cluster.
  • Connect to the TKG cluster.

Procedure

  1. Provision a TKG cluster.
  2. Log in to Supervisor using kubectl.
    kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME>
  3. Switch configuration context to the vSphere Namespace where the TKGS cluster is provisioned.
    kubectl config use-context VSPHERE-NAMESPACE
  4. Log in to the target TKG cluster.
    kubectl vsphere login --server=<IP or FQDN> --vsphere-username <USERNAME> \
    --tanzu-kubernetes-cluster-name CLUSTER-NAME \
    --tanzu-kubernetes-cluster-namespace NAMESPACE-NAME
  5. Create the file ping-pod.yaml with the following contents.
    apiVersion: v1
    kind: Pod
    metadata:
      name: ping-pod
      namespace: default
    spec:
      containers:
      - image: busybox:1.34
        name: busybox
        command: ["ping", "-c"]
        args: ["1", "8.8.8.8"]
      imagePullSecrets:
      - name: regcred
      restartPolicy: Never
    
  6. Create the regcred registry credential.
    The container image used for this scenario (busybox) is pulled from the public Docker Hub registry, which may restrict image pulls. If so you will need a Docker Hub account and an image pull secret ("regcred") referenced in the pod spec. To create this secret, see Create Private Registry Credential Secret.
  7. Configure pod security, as necessary.
    If you are using TKG release v1.24 or earlier, proceed with the next step and create the pod.
    If you are using TKG release v1.25, PSA warnings are enabled. You can proceed with the next step and create the pod. However, note that you will receive a warning about pod security violations, which you can ignore.
    Warning: would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false 
    (container "busybox" must set securityContext.allowPrivilegeEscalation=false), 
    unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), 
    runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), 
    seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    If you are using TKG release v1.26 or later, PSA restrictions are enforced. If you attempt to create the pod as shown in the next step, it will fail with the following error.
    Error from server (Forbidden): error when creating "ping-pod.yaml": pods "ping-pod" is forbidden: 
    violates PodSecurity "restricted:latest": allowPrivilegeEscalation != false 
    (container "busybox" must set securityContext.allowPrivilegeEscalation=false), 
    unrestricted capabilities (container "busybox" must set securityContext.capabilities.drop=["ALL"]), 
    runAsNonRoot != true (pod or container "busybox" must set securityContext.runAsNonRoot=true), 
    seccompProfile (pod or container "busybox" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
    To fix this, run the following command on the default namespace where the pod is created. Be aware that by doing this you are removing PSA restrictions on the namespace.
    kubectl label --overwrite ns default pod-security.kubernetes.io/enforce=privileged
    Alternatively, you can apply securityContext directly to the pod, for example:
    ...
    spec:
      containers:
      - image: busybox:1.34
        name: busybox
        command: ["ping", "-c"]
        args: ["1", "8.8.8.8"]
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
          runAsNonRoot: true
          runAsUser: 1000
          seccompProfile:
            type: "RuntimeDefault"
    ...
  8. Apply the YAML.
    kubectl apply -f ping-pod.yaml
    Expected result:
    pod/ping-pod created
  9. Check that the pod completed successfully.
    kubectl get pods -n default
    NAME       READY   STATUS      RESTARTS   AGE
    ping-pod   0/1     Completed   0          13s
    
  10. Verify that the pod pinged the DNS server.
    kubectl logs ping-pod -f
    Expected result:
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: seq=0 ttl=106 time=33.352 ms
    
    --- 8.8.8.8 ping statistics ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 33.352/33.352/33.352 ms
    
  11. Delete the pod.
    kubectl delete -f ping-pod.yaml
  12. Verify that the pod is deleted.
    kubectl get pods