VMware TKG Service (TKG Service) lets you deploy Kubernetes workload clusters on the vSphere IaaS control plane. The TKG Service provides independent releases and asynchronous upgrades without workload disruptions.

Introducing the TKG Service

Starting with vSphere 8.0 Update 3, TKG is installed as a Supervisor Service. This architectural change decouples TKG from vSphere IaaS control plane releases and lets you upgrade the TKG Service independent of vCenter Server and Supervisor.

TKG Service 3.0 is installed and runs on Supervisor control plane nodes. The TKG Service is delivered as a nested collection of Carvel packages. As a Core Supervisor Service, the TKG Service can be upgraded, even in internet-restricted environments, but it cannot be uninstalled or downgraded. You can monitor and manage the TKG Service from the Workload Management > Services tab. See Upgrading the TKG Service Version.

TKG Service version 3.1 will be the first independent release that you upgrade to. TKG Serviceregistration and upgrade are separate processes.

Installing TKG Service 3.0

Installing the TKG Service is done automatically when you upgrade vSphere IaaS control plane components to their required versions. Refer to the TKG Servicerelease notes for details.

Registering New TKG Service Versions with vCenter

The TKG Service package is published with vCenter Server and pushed to the VMware public registry. TKG Service registration is performed at the vCenter Server level. You have two options to register new versions of the TKG Service: synchronous and asynchronous.
Table 1. TKG Service Version Registration Options
Registration Method Description
Synchronous with vCenter Update Wait for an update to the latest vCenter Server release to auto-register a new version of the TKG Service, then update Supervisor to populate the embedded registry with the new versions.
Asynchronous Public Download a new TKG Service version definition from the public registry, then manually register it with vCenter Server.
Asynchronous Private Relocate the TKG Service package from the public registry to a private registry that you host, then manually register the service with vCenter Server.
Synchronous registration requires a system update. Updating vCenter Server automatically registers new TKG Service versions​ with Supervisor. However, to use a auto-registered (new) version, you must then update Supervisor to the version that ships with the vSphere Namespaces release delivered by that vCenter Server. On update of Supervisor, the Carvel package bundle for the TKG Service is available in the Supervisor embedded registry and ready for deployment. A Supervisor upgrade does not automatically upgrade the TKG Service. You must choose to deploy the version you want.
Asynchronous registration does not require vCenter Server and Supervisor updates, assuming the current Supervisor version is within the support window. Asynchronous registration has the following workflow:
  1. Download the service definition YAML file from the public registry site for Supervisor Services.
  2. If air-gap installation is required, relocate the package to your private registry.
  3. Register the new version of the TKG Service by uploading the service definition to vCenter Server.
The table summarizes registration details of the TKG Service.
Table 2. TKG Service Version Registration
TKG Service Property vCenter Bundled Registry
Registration of new versions Auto-registered Manual registration
Deletion of newly registered versions Not allowed Allowed
Image location Supervisor control plane embedded registry Public or private registry

Upgrading the TKG Service Version

TKG Service version upgrades are performed at the Supervisor level. Once the TKG Service is registered, you upgrade the TKG Service by deploying it as a Supervisor Service on the target Supervisor. See Upgrade the TKG Service Version.

When you upgrade the TKG Service version, the system performs pre-checks and reports two levels of severity:
  • WARNING which is non-blocking
  • ERROR which is blocking
A Kubernetes version check is an example of a non-blocking warning check. A Supervisor version check is an example of a blocking error. For more information, refer to the Supervisor Services documentation.

Air-Gapped Upgrades

To upgrade the TKG Service in an internet restricted environment ("air-gapped"), you have two choices: synchronously with a vCenter update or asynchronously when a new version is available.

For synchronous air-gapped updates, you wait for a vCenter Server release then register the new TKG Service version by updating vCenter Server. See Registering New TKG Service Versions with vCenter.

For asynchronous air-gapped updates, you relocate the TKG Service package from the public registry to a private registry, then register the new TKG Service version with vCenter Server. See Upgrade TKG Service from a Private Registry.

Once the new TKG Service version is registered, the system uses its local registry to upgrade the TKG Service.