The second topic in this Design Considerations for Tanzu series is Manageability.
Kubernetes environments require management at an individual cluster level, across multiple clusters and even clouds in the current era.
Each cluster has to be individually deployed, upgraded, and configured for security. In addition, if applications need to be deployed across environments, deployment has to be done manually or outside the Kubernetes environment control.
The cost of managing these across an enterprise can quickly increase based on the number of clusters. Management of day 2 operations such as patching and upgrading at the individual cluster level is also time-consuming and error prone.
It is important that Kubernetes cluster and infrastructure management be addressed when designing a Tanzu installation.
Life cycle management of a Kubernetes cluster includes:
Removing a cluster
Creating a new cluster
Updating the control plane and compute nodes
Maintenance and updates to the node
Securing the cluster
Upgrading the Kubernetes API version
Upgrading the cluster, which may also be provider-dependent
In order to manage k8s at scale, we need to implement a management control plane.
Design considerations for a k8s control plane:
Cluster Lifecycle Management
Identity and Access Management (IAM)
Security and Configuration Management
Data protection and Migration
Audit and Compliance
Connectivity and Traffic Management
vSphere with Tanzu and Tanzu Kubernetes Grid provide a centralized management plane for Kubernetes clusters. There are different options available.
Where should I run my k8s management plane?
There are two main management plane deployment models in Tanzu:
1.) Running Tanzu IN vSphere
2.) Running Tanzu ON vSphere
The vSphere with Tanzu deployment has the Kubernetes cluster management and lifecycle functions fully embedded into the vSphere console. Clusters are deployed directly from the UI. There are also options to integrate with NSX-T, and the deployment wizard will configure the NSX-T environment. This deployment model requires that the vSphere admin be knowledgeable on Kubernetes concepts. The standard Kubernetes kubectl commands are used to manage the containers and pods themselves. This deployment model is more "vSphere Infrastructure-focused & managed" and can be appealing depending on your organization`s operating model.
Tanzu Kubernetes Grid (TKG/TKGi) is the Tanzu ON vSphere implementation. In this deployment, the control plane is externalized and deployed as external virtual machine.
Tanzu Community Edition (TCE) is the free- open source variation of Tanzu Kubernetes Grid. It should also be noted that most of the commands used to manage TKG clusters, also apply to TCE clusters as well.
How do I interface-with and abstract the underlying Infrastructure Resources?
TKG and TCE utilize the CNCF-Certified ClusterAPI as the infrastructure abstraction layer.
The TKGi deployment uses BOSH as the infrastructure abstraction layer.
How do my Kubernetes administrators interface and manage the platform resources?
There are two user-planes in Tanzu
Developer Interface - K8s Admins
Operations Interface - Infrastructure Admins
From a developer perspective, all of the Tanzu deployment options support upstream vanilla-upstream Kubernetes, and as such you can use the standard kubectl commands to manage your k8s infrastructure.
As for the Operations Interface, there are some differences between deployment types:
vSphere with Tanzu - Uses the embedded TKG UI
TKG/TKGi - Uses an external GUI / CLI -Usually installed as on a jumphost
TCE- Uses an external GUI / CLI - Usually installed as on a jumphost
How do manage Kubernetes clusters across a multiple clouds?
If you have the need to manage k8s clusters across multiple clouds, Tanzu Mission Control (TMC) in one option. TMC is aimed at managing Tanzu clusters across multiple cloud providers (Such as AWS, vSphere, Azure) while giving the developers multi-cloud capabilities directly from there management console.
It also offers cost management, security policy enforcement and cluster backup capabilities. it should also be noted that TMC is a Soft as a Service (SaaS) offering which may not be appropriate for some airgapped environments.