The Cluster v1beta1 API lets you provision a Cluster based on a default ClusterClass definition.
ClusterClass API v1beta1
The Kubernetes Cluster API is a suite of tools which provide for the declarative provisioning, upgrading, and operating of Kubernetes clusters. ClusterClass is an evolution of the Cluster API that lets you define templates for managing the life cycle of sets of clusters. TKG Service supports ClusterClass using the v1beta1 API.
TKG Service ships with a default ClusterClass definition named tanzukubernetescluster
. The tanzukubernetescluster
ClusterClass provides the template for cluster creation using the v1beta API. The tanzukubernetescluster
ClusterClass is available in all user namespaces. To create a cluster based on this ClusterClass, reference it in the Cluster specification. Refer to the v1beta examples for guidance.
Default ClusterClass tanzukubernetescluster
The default tanzukubernetescluster
ClusterClass is immutable. It may be updated with each release of the TKG Service.
To view the default tanzukubernetescluster
ClusterClass that ships with your TKG Service instance, complete the following steps:
- Log in to Supervisor.
kubectl vsphere login --server=IP-or-FQDN --vsphere-username USER@vsphere.local
- Switch context the vSphere Namespace where a TKGS cluster is provisioned.
kubeclt config use-context VSPEHRE-NS
- Get the default
tanzukubernetescluster
ClusterClass.kubectl get clusterclass tanzukubernetescluster -o yaml
- Optionally you can write the output of the default ClusterClass to a file named tkc-dcc.yaml.
kubectl get clusterclass tanzukubernetescluster -o yaml > tkc-dcc.yaml
ClusterClass Variables for Customizing a Cluster
You customize a Cluster based on the tanzukubernetescluster
ClusterClass using variables. Variables are defined using name-values pairs. The syntax must conform to the openAPIV3Schema.
- VM class
- Storage class
- Proxy
- TLS Certificates
- SSH keys
The following sections list all variables that are available with the default tanzukubernetescluster
ClusterClass.
key-name
), an underscore (such as
KEY_NAME
) or a dot (such as
key.name
). You cannot use a space in a key name.
clusterEncryptionConfigYaml
Use the clusterEncryptionConfigYaml
variable to configure cluster encryption.
- clusterEncryptionConfigYaml
- String which is a YAML file that provides encryption configuration details.
controlPlaneCertificateRotation
controlPlaneCertificateRotation
variable to configure the system to rotate the TLS certificates for control plane nodes by triggering a rollout of these certificates before they expire. Control plane certificate rotation is available for all new and existing control plane nodes.
- controlPlaneCertificateRotation
-
Boolean for activating the feature and number of days before expiration to rotate the certificates. See
Automatically rotating certificates using Kubeadm Control Plane provider for more information.
... variables: - name: controlPlaneCertificateRotation value: activate: true daysBefore: 90
controlPlaneVolumes
controlPlaneVolumes
variable to configure persistent volumes for control plane nodes.
- controlPlaneVolumes
-
Optional array of objects, each of which includes
name
,storageClass
, andmountPath
, each of which are strings, and an optionalcapacity
object that includes astorage
string.... variables: #controlPlaneVolumes is an optional set of PVCs to create and #attach to each node - name: controlPlaneVolumes value: #name of the PVC to be used as the suffix (node.name) - name: NAME #mountPath is the directory where the volume device is mounted #takes the form /dir/path mountPath: /dir/path #storageClass is the storage class to use for the PVC storageClass: tkgs-storage-profile #capacity is the PVC storage capacity capacity: #storage sets the capacity for the disk volume #if not specified defaults to storageClass capacity storage: 4Gi
defaultRegistrySecret
defaultRegistrySecret
variable configures the default container registry for the cluster.
- defaultRegistrySecret
- Object that includes a public key, certificate name, and namespace for the default container registry.
defaultStorageClass
Use the defaultStorageClass
variable to configure a default storage class for the cluster.
- defaultStorageClass
-
String that identifies which storage class to use as the default storage class, often required by certain applications such as Helm charts and Tanzu Packages.
... variables: - name: defaultStorageClass value: tkg2-storage-profile
extensionCert
Use the extensionCert
variable to configure a TLS certificate.
- extensionCert
-
Object containing a
contentSecret
object containingname
andkey
strings. ThecontentSecret
references a Kubernetes secret object that has been created for a TLS certificate.... variables: #extensionCert specifies the cert and key for Extensions Controller #self-signed issuer and certificates must be created in advance - name: extensionCert value: contentSecret: #name specifies the name of secret name: string #key specifies the content of tls\.crt in the secret's data map key: string
kubeAPIServerFQDNs
Use the kubeAPIServerFQDNs
variable to configure a cluster with an FQDN.
nodePoolLabels
Use the nodePoolLabels
variable to configure labels for worker nodes.
- nodePoolLabels
- Array of one or more objects, each object containing a key/value pair, both of which are strings.
nodePoolTaints
Use the nodePoolTaints
variable to apply taints to worker nodes.
- nodePoolTaints
- Array of objects, each object contains a taint that applies to worker nodes.
nodePoolVolumes
Use the nodePoolVolumes
variable to specify persistent volumes for cluster nodes.
- nodePoolVolumes
-
Optional array of objects, each of which includes
name
,storageClass
, andmountPath
, each of which are strings, and an optionalcapacity
object that includes astorage
string.... variables: #nodePoolVolumes is an optional set of PVCs to create and #attach to each node; use for high-churn components like containerd - name: nodePoolVolumes value: | #name of the PVC to be used as the suffix (node.name) - name: etcd #mountPath is the directory where the volume device is mounted #takes the form /dir/path mountPath: /var/lib/containerd #storageClass is the storage class to use for the PVC storageClass: tkgs-storage-profile #capacity is the PVC storage capacity capacity: #storage sets the capacity for the disk volume #if not specified defaults to storageClass capacity storage: 4Gi
ntp
Use the ntp
variable to configure an NTP server for the cluster.
- ntp
- String which is the FQDN or IP address of an NTP server.
podSecurityStandard
podSecurityStandard
variable to configure cluster-wide pod security.
- podSecurityStandard
-
With TKr v1.26 and later, by default pod security (PSA) restrictions are enforced at the namespace level using annotation labels. See Configure PSA for TKR 1.25 and Later.
Alternatively you can use the
podSecurityStandard
variable to configure cluster-wide PSA when you provision or update a v1beta1 cluster.The
podSecurityStandard
variable can be implemented as follows:... variables: - name: podSecurityStandard value: deactivated: DEACTIVATED audit: AUDIT-PROFILE enforce: ENFORCE-PROFILE warn: WARN-PROFILE auditVersion: AUDIT-VERSION enforceVersion: ENFORCE-VERSION warnVersion: WARN-VERSION exemptions: namespaces: [EXEMPT-NS]
Where:- The DEACTIVATED value is
false
(default) to apply cluster-wide PSA andtrue
otherwise. - The *-PROFILE value is the PSA profile for each mode, which can be
"privileged"
,"baseline"
, or"restricted"
(default). - The *-VERSION value is the Kubernetes version for each mode, such as
"v1.26"
. The value"latest"
is the default. - The EXEMPT-NS value is an comma-separated list of namespaces to exclude from PSA control.
Note: System namespaces are excluded from pod security, including kube-system, tkg-system, and vmware-system-cloud-provider.If you do not implement the
podSecurityStandard
variable, the default PSA behavior is preserved. If you include thepodSecurityStandard
variable in the cluster specification, the variable settings will control, including its defaults unless you override them.The following example shows the defaults.... variables: - name: podSecurityStandard value: enforce: "restricted" enforce-version: "latest"
The following example provides audit logs and warnings to identify workloads that are not following current pod hardening best practices, but only enforces a minimally restrictive policy ("baseline") which prevents known privilege escalations.... variables: - name: podSecurityStandard value: audit: "restricted" warn: "restricted" enforce: "baseline"
The following example enforces restricted policy, except on a specific namespace.... variables: - name: podSecurityStandard value: audit: "restricted" warn: "restricted" enforce: "restricted" exemptions: namesaces: ["privileged-workload-ns"]
The following example restricts enforcement to a particular TKr version.... variables: - name: podSecurityStandard value: audit-version: "v1.26" warn-version: "v1.26" enforce-version: "v1.26"
For more examples, see pod security standards in the Kubernetes documentation.
- The DEACTIVATED value is
proxy
Use the proxy
variable to configure a proxy server for the cluster.
- proxy
- Object with parameters that reference a proxy server for outbound cluster connections.
storageClass
Use the storageClass
variable to configure a storage class for the cluster.
- storageClass
-
String that is the name of a vSphere storage profile that has been assigned to the
vSphere Namespace where the TKG cluster is provisioned.
... variables: - name: storageClass value: tkgs-storage-profile
storageClasses
Use the storageClasses
variable to configure an array of storage classes for the cluster.
- storageClasses
-
Array of one or more strings, each string being the name of a vSphere storage profile that has been assigned to the
vSphere Namespace where the TKG cluster is provisioned.
... variables: - name: storageClasses value: [tkg2-storage-profile, tkg2-storage-profile-latebinding]
TKR_DATA
Use the TKR_DATA
variable to specify TKR information.
- TKR_DATA
- Object that you use to specify the TKR version and other details.
trust
Use the trust
variable to specify one or more trusted CA certificates for the cluster.
- trust
- Object for adding TLS certificates to the Cluster, either additional CAs or end certificates.
user
Use the user
variable to specify cluster user credentials.
- user
- Object that includes a passwordSecret object, with name and key strings, and sshAuthorizedKey string. You can use this variable to add a user's SSH key to cluster nodes for remote SSH access.
vmClass
Use the vmClass
variable to configure the VM class for cluster nodes.
- vmClass
- Required string that maps to the name of a VM class that is bound to the vSphere Namespace where the TKG cluster is provisioned.