vSphere with Tanzu - Zero Trust with NSX-T DFW

To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “) The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....

October 10, 2021 · 6 min · Jahnin Rajamoni

Daemon Sandboxing and Secpolicytools in ESXi

ESXi uses daemon sandboxing as a means of access control between Userworlds(hostd, vpxa, etc.) and Objects(Files, directories, network sockets, etc.) Secpolicytools helps you list and tweak the security policies that are defiend under each domain(daemon sandbox) [root@esx01:~] secpolicytools -h Usage: secpolicytools <options> -r|--reset Reset all policy rules. -p|--load-policy[policy dir] Load a predefined policy. A default dir of /etc/vmware/secpolicy will be used. -d|--display-policy Display the current policy. -D|--lookup-domain <label> Lookup the value of a domain label....

October 7, 2021 · 4 min · Jahnin Rajamoni

vSphere with Tanzu kubectl Cheat Sheet

Lately I’ve been using multiple notes to keep a track of all the kubectl commands that I’ve come across when troubelshooting vSphere with Tanzu. The idea behind this post is to create a reference kubectl cheat sheet for all kubectl commands in vSphere with Tanzu. Login LOGIN TO A SUPERVISOR CLUSTER Command: kubectl vsphere login –server IP/FQDN -u USERNAME –insecure-skip-tls-verify Example: kubectl vsphere login --server kube.gs.labs -u administrator@vsphere.local --insecure-skip-tls-verify LOGIN TO A GUEST CLUSTER...

October 7, 2021 · 7 min · Jahnin Rajamoni

Home Lab: Monitoring with Grafana + influxdb + ntopng + Opnsense

I’ve always been interested in knowing which device consumes internet bandwidth on my network. Given I’m on a 50Mbps line, bandwidth is a premium(Thank you NBN!) So how did I go about monitoring internet bandwidth consumption across all my devices? A NOC style interface will be cool! (click on the image above!) I got this done with the help of Grafana, influxdb, ntopng and Opnsense! TLDR: Opnsense -> ntopng -> Influxdb -> Grafana Opnsense is the gateway router....

October 6, 2021 · 3 min · Jahnin Rajamoni

Troubleshoot vSphere HA - FDM configuration failures

vSphere HA configuration failures has been a regular issue as long as I can remember - usually a result of environmental issues. Recently I came across an issue where vSphere HA will not configure after upgrading to vCenter 7.0u2d HA configuration will fail with the error Setting desired image spec for cluster failed From the vpxd logs, the wrong version of the vib 7.0.2-18455215 was being pushed to the hosts. The vib that had to be pushed to the hosts should be 7....

October 5, 2021 · 5 min · Jahnin Rajamoni