To answer these qustions, check the Cluster API log as follows:

kubectl config use-context tkg-cluster-ns

kubectl get pods -n vmware-system-capw  | grep capv-controller

kubectl logs -n vmware-system-capw -c manager capv-controller-manager-...

If you receive errors when applying the TKG cluster YAML, troubleshoot as follows.

Cluster network is not in correct state

Understand the TKG cluster provisioning workflow:

• CAPV creates a VirtualNetwork object for each TKG cluster network.
• If Supervisor is configured with NSX networking, NCP watches for VirtualNetwork objects and creates an NSX Tier-1 router and a NSX segment for each VirtualNetwork.
• CAPV checks the status of VirtualNetwork and, when ready, proceeds to next step in the workflow.

VM Service controller is watching for custom objects created by CAPV and uses those specifications to create and configure the VMs that make up the TKG cluster.

NSX Container Plugin (NCP) is a controller that watches for network resources added to etcd through the Kubernetes API and orchestrates the creation of corresponding objects in NSX.

Each of these controllers run as Kubernetes pods on the Supervisor control plane. To troubleshoot network issues, check the CAPV Controller log, the VM Service log, and the NCP log.

Check the container logs, where name-XXXX is the unique pod name when you run

kubectl get pods -A
kubectl logs pod/name-XXXXX -c pod-name -n namesapce

Invalid control plane node count

TKG cluster on Supervisor supports 1 or 3 control plane nodes. If you enter a different number of replicas, cluster provisioning fails.

Invalid storage class for control plane/worker VM

Run the following command:

kubectl describe ns <tkg-clsuter-namesapce>

Make sure that a storage class has been assigned to the namespace in which you're attempting to create the TKG cluster. There needs to be a ResourceQuota in the vSphere Namespace referencing that storage class, and the storage class needs to exist in Supervisor.

Make sure that the name matches the storage class present in Supervisor. Run kubectl get storageclasses Supervisor as an vSphere administrator. WCP may transform the name when applying the storage profile to Supervisor (for example, hyphens become underscores).

Invalid VM class

Ensure the value supplied in the cluster YAML matches one of the VM classes returned by kubectl get virtualmachineclass. Only bound classes can be used by a TKG cluster. A VM class is bound when you add it to the vSphere Namespace.

The command kubectl get virtualmachineclasses returns all VM classes on Supervisor, but only those that are bound can be used.

Unable to find TKR distributions

If you see an error similar to the following:

“Error from server (unable to find Kubernetes distributions): 
admission webhook “version.mutating.tanzukubernetescluster.run.tanzu.vmware.com” 
denied the request: unable to find Kubernetes distributions”

This is likely because of a content library issue. To list what you have available, use the command kubectl get virtualmachineimages -A. The result is what is available and synchronized or uploaded in your content library.

For TKG on Supervisor, there are new TKR names that are compatible with the new TKR API. You need to be sure to name each TKR correctly in the content library.

Name in content library: photon-3-amd64-vmi-k8s-v1.23.8---vmware.2-tkg.1-zshippable

Corresponding name in the TKG cluster spec: version: v1.23.8+vmware.2-tkg.1-zshippable

If the TKG 2.0 cluster YAML is valid and applied but the node VMs are not created, troubleshoot as follows.

Check CAPI/CAPV resources

Check if TKG created the CAPI/CAPV level resources.

• Check to see if CAPV created the VirtualMachine resources.
• Check the VM Operator logs to see why the VM was not created, for example, OVF deployment may have failed due to insufficient resources on the ESX host.
• Check the CAPV and VM Operator logs.
• Check NCP logs NCP is responsible to realize VirtualNetwork, VirtualNetworkInterface and LoadBalancer for control plane. If any error related to those resources, it can be an issue.

Virtual Machine Services Error

Virtual Machine Services Error

• Run kubectl get virtualmachineservices in your namespace
• Was a Virtual Machine Service created?
• Run kubectl describe virtualmachineservices in your namespace
• Are there errors reported on the Virtual Machine Service?

Virtual Network Error

Run kubectl get virtualnetwork in your namespace.

Is the Virtual Network created for this cluster?

Run kubectl describe virtual network in your namespace.

Is the Virtual Network Interface created for the VM?

If the TKG control plane is not running, check if resources were ready when the error happened. Is it a Join Node control plane that is not up or an Init Node? Also, check if the Provider ID is not set in the node object.

Check if resources were ready when error happened

Besides looking for logs, checking related objects' status ControlPlaneLoadBalancer will help you understand if resources were ready when error happened. See network troubleshooting.

Is it a Join Node control plane that is not up or an Init Node?

Node joins sometimes don’t work properly. Look at the node logs for particular VM. The cluster might be missing worker and control plane nodes if init node doesn’t come up successfully.

Provider ID is not set in the node object

If VM created, check if it has IPs then look into cloud-init logs (kubeadm commands are properly executed)

Check CAPI controller logs to see if there is any issue. You can check that using kubectl get nodes on the TKG cluster and then check if the provider ID exists on the node object.

If the TKG cluster and control plane VMs are created, but no workers are created or no other virtual machine objects created, try the following:

kubectl describe cluster CLUSTER-NAME

Get the TKG cluster kubeconfig using the secret in the namespace:

kubectl get secret -n <namespace> <tkg-cluster-name>-kubeconfig -o jsonpath='{.data.value}' | base64 -d 
> tkg-cluster-kubeconfig; kubectl --kubeconfig tkg-cluster-kubeconfig get pods -A

Check if TKG control plane nodes are in healthy state:

• Check if TKG cluster control plane reports any error (like cannot make node with provider ID).
• TKG cluster cloud provider did not mark the node with the correct provider ID, thus CAPI cannot compare the provider ID in the guest cluster node and the machine resource in the supervisor cluster to verify.

SSH into the control plane VM or use the TKG cluster kubeconfig to check if the TKG cloud provider pod is running/logged any errors. See Connecting to TKG Service Clusters as a Kubernetes Administrator and System User.

kubectl get po -n vmware-system-cloud-provider

kubectl logs -n vmware-system-cloud-provider <pod name>

If the control plane did not initialize properly, determine the VM IP. The status should contain the VM IP.

kubectl get virtualmachine -n <namespace> <TKC-name>-control-plane-0 -o yaml

ssh vmware-system-user@<vm-ip> -i tkc-cluster-ssh

Check to see if kubeadm logged any errors.

cat /var/log/cloud-init-output.log | less

kubectl get tkc -n <namespace>

kubectl get cluster -n <namespace> 

kubectl get machines -n <namespace>

KubeadmConfig was present but CAPI was not able to find it. Checked if the token in vmware-system-capv had the right permissions to query kubeadmconfig.

$kubectl --token=__TOKEN__ auth can-i get kubeadmconfig 
yes

It is possible that controller-runtime cache was not being updated. The CAPI watch caches may be stale and not picking up the new objects. If necessary restart the capi-controller-manager to resolve the issue.

kubectl rollout restart deployment capi-controller-manager -n vmware-system-capv

Namespaces can only be deleted when all the resources under the namespaces in turn are deleted.

kubectl describe namespace NAME

Check the virtual machine images on vCenter.

kubectl get virtualmachineimages -A