To enable zero trust for the Supervisor Cluster and the guest cluster, you need to first define a default deny-all rule in the NSX-T distributed firewall. You can then allow the required ports as per https://ports.esp.vmware.com/home/vSphere-7 (Filter with the keyword “Tanzu “)
The problem? vSphere with Tanzu expects to have a default allow-all rule. Specifically for egress (Source is Master VM Subnet and Destination is the whole cluster CIDR block) After enabling zero trust, the default deny-all rule blocks both ingress and egress traffic....
Creating a Tanzu Kubernetes Cluster fails. In vCenter server, the resource pool gets created under the namespace resource pool. However, the control/worker vms do not get created.
The OVF deployment starts but fails and is in a constant loop with the error, “Failed to deploy OVF package”
Looking at the vpxd logs in vCenter Server, the error was:
info vpxd[63733] [Originator@6876 sub=Default opID=62236dfd] [VpxLRO] -- ERROR lro-43350730 -- task-637327 -- vim....
If you run into any issue where the config status is stuck in “configuring” state, one of the first things to check is the wcpsvc logs on the vCenter appliance here: /var/log/vmware/wcp/wcpsvc.log
Interestingly I ran into an issue where the logs were complaining about authorization. You probably will see the following events in a loop:
2021-05-30T11:48:11.077Z error wcp [kubelifecycle/spherelet.go:923] [opID=domain-c8-host-28] **Failed to get Kubernetes cluster node list: Unauthorized** 2021-05-30T11:48:11.078Z error wcp [kubelifecycle/node\_controller....
I ran into the same issue as described by Eric Sloof:
https://www.ntpro.nl/blog/archives/3570-Edge-Tunnels-Down-when-hosting-NSX-T-on-the-same-DVS.html
The problem I had was i did not have enough uplinks to create a new dvSwitch to get the tunnel to work. For the tunnel to work, the geneve traffic has to leave the host and get routed back in. I had a layer 3 physical switch and decided to make use of inter-vlan routing.
Once logged into the switch:...
Some notes from a recent lab I configured:
My current lab looks like this - I have few production VMs in one VLAN segment External network access and Internet access is through another VLAN segment There is a jumpbox VM that is uplinked to both the VLAN segments. VMware vDS is currently being used and there are no free uplinks to make use of nvds. What do I want to accomplish?...