Kubernetes

To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “) The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....

Lately I’ve been using multiple notes to keep a track of all the kubectl commands that I’ve come across when troubelshooting vSphere with Tanzu. The idea behind this post is to create a reference kubectl cheat sheet for all kubectl commands in vSphere with Tanzu. Login LOGIN TO A SUPERVISOR CLUSTER Command: kubectl vsphere login –server IP/FQDN -u USERNAME –insecure-skip-tls-verify Example: kubectl vsphere login --server kube.gs.labs -u administrator@vsphere.local --insecure-skip-tls-verify LOGIN TO A GUEST CLUSTER...

Getting started with containers is fairly easy. This post is just a summary of the steps I took to create a docker container image that I will be using in my kubernetes labs. TLDR Create a free account on hub.docker.com Install Docker Create a Dockerfile. Build an image with the Dockerfile. Run a container with the image you created and perform tests. Push the image to docker hub. Step 01: Install Docker Installation is pretty straight forward....

To troubleshoot calico network issues within guest clusters, debug logging is indispensable. In this post, lets look at the steps that are required to enable debug logging for Calico. We need to first scale down the tkg-controller-manager on the supervisor cluster as we do not want changes we make to the calico pods to be reset. STEP 1: Scale down the tkg-controller-manager From the vCenter Server, login to the control plane VM....

There are two CNIs that are avaiable for container networking in Tanzu kubernetes guest clusters: Antrea and Calico In this post, lets take a closer look at Calico and how to deploy and use Calicoctl Pods can fail if they do not get an ip address from the CNI. A common error is: k get events 4m31s Warning FailedCreatePodSandBox pod/validationservice-59cbc867c-pt7k5 (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "2c0a340dfe947ad27564e0b73d5efac7f13951a77aa9c0a6e5e5d90b7d299e4c": rate: Wait(n=1) would exceed context deadline 4m31s Warning FailedCreatePodSandBox pod/validationservice-59cbc867c-qhdjr (combined from similar events): Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "c0f9ecf1f5a73954bbc3733ff1342fec6896d339bc6039473765e5f143b7850d": rate: Wait(n=1) would exceed context deadline To view the ip blocks provided by IPAM(Calico) in the Tanzu Kubernetes cluster...