How is it possible to have a large number of Kubernetes clusters, which are distributed across various platforms, still maintain compliance, offer self-service and provide complete transparency at the same time? For the implementation of these functions without overloading IT operations, you need a tool like VMware’s Tanzu Mission Control.
Not too long ago, installing Kubernetes was a largely manual and very complicated matter. Creating certificates, building configuration files for access and setting numerous parameters in various services, used to be error-prone tasks. If you wanted to run the Kubernetes control plane itself as containers in the same Kubernetes installation, you‘ve faced a chicken-egg-problem. Both the open-source community and various software vendors have recognized this issue and simplified it to an almost trivial process. For example, a special interest group (SIG) has formed within the Cloud Native Computing Foundation, which has developed a solution called ClusterAPI. It allows Kubernetes clusters to bootstrap and lifecycle other Kubernetes clusters.
The trend is moving from initially single and very large clusters to multiple small clusters. It usually starts with a single on-premise instance. But as soon as the news spread, other departments, teams and customers request their own clusters. To increase availability, these are often operated on different sites within the company, or even on public cloud providers such as AWS, Azure or GCP.
This circumstance poses major challenges to the operating teams. Since the clusters are independent of each other, they are individually managed. This means that compliance policies, access permissions, security policies, quotas, etc. must be individually configured in all places. This task is not only very time-consuming, but also increases the risk of errors as the number of environments grows. Tanzu Mission Control, a product from the VMware Tanzu portfolio, precisely addresses these problems.
Figure 1: Tanzu Mission Control Architecture
Tanzu Mission Control, or TMC for short, is a SaaS offering from VMware that provides a common management platform for various Kubernetes clusters. They only have to be attached to TMC. It does not matter how the particular Kubernetes cluster was set up, as long as it is CNCF compliant. It also does not matter where the cluster is running. It just needs to be able to communicate to TMC.
Core functionalities of Tanzu Mission Control
1) Automatic provisioning of Tanzu Kubernetes Grid
TMC uses the open-source tool ClusterAPI to automatically deploy Kubernetes clusters to other platforms. Currently, it is possible to roll out Kubernetes clusters to Amazon Web Services (AWS), Microsoft Azure or to vSphere with Tanzu installations (more are planned). In all cases, a Kubernetes cluster based on Tanzu Kubernetes Grid is provisioned. Various Day-2-operations are available for these types of clusters, such as scaling, updating, or deleting the clusters.
In addition, any CNCF compliant cluster can be attached to TMC and thus monitored and managed. For this purpose, a small agent is installed in the cluster.
2) Versatile operability
Like most modern tools, TMC offers an extensive web interface. However, TMC can also be controlled via CLI or REST API. Thus, it can be part of another automation software and, for example, be called by a CI/CD pipeline.
3) Grouping clusters and namespaces
Figure 2: Tanzu Mission Control Resource Groups
TMC allows to group resources. For example, multiple Kubernetes clusters can be added to a cluster group. Additionally, it is possible to group namespaces of different clusters into workspaces. Both the groups and the grouping criteria can be kept dynamic so that namespaces with specific labels are automatically assigned to a specific workspace.
These groupings allow different policies to be applied uniformly and consistently to a large number of objects at the same time.
With Velero, TMC offers the option to automatically perform backups of workloads within Kubernetes clusters. In this way, backups of entire namespaces or complete clusters can be created in few steps. Likewise, only specific objects such as persistent volumes can be backed up if this is desired. These objects can also be determined using label dynamics. All backups can be restored via TMC.
Another open-source tool integrated into TMC is Sonobuoy. With its help, the cluster configuration can be examined against different baselines. This means that any discrepancies in the configuration can be quickly identified and remedied.
For example, a general conformance check can be made to check whether the cluster has been installed properly. Alternatively, there is also the option of having the clusters tested against the Kubernetes benchmark released by the Center for Internet Security (CIS).
TMC already comes with some ready-made policies in the area of access control, image registry or quotas that enable direct use. In addition, it also offers the possibility to create custom policies. These policies are implemented with the help of Gatekeeper (Open Policy Agent). This is another open-source tool that replaces the discontinued Pod Security Policies.
Similar to most other features, policies can be dynamically applied to objects using labels and selectors.
Tanzu Mission Control provides IT administrators with a centralized interface to manage and monitor a variety of Kubernetes clusters. On the other hand, it allows developers to pull resources via self-service. Thus they don’t have to worry about the underlying infrastructure.
As a VMware solution, Tanzu Mission Control integrates very well with other VMware products, such as Tanzu Kubernetes Grid Integrated Edition or Tanzu Observability.