Today we want to talk about VMware Tanzu, a new line of products and services that was announced during last year's VMWorld conference. On the agenda is one of the most interesting tools: Tanzu Mission Control.
Caution: there are extremely many images under the cut.
What is mission control
As the company itself states in its blog, the main task of VMware Tanzu Mission Control is to “bring order to cluster chaos.” Mission Control is an API-driven platform that will allow administrators to apply policies to clusters or groups of clusters and set security rules. The SaaS-based tools integrate securely into Kubernetes clusters via an agent and support a host of common cluster operations, including lifecycle management operations (deploy, scale, delete, etc.).
The Tanzu line is based on the maximum use of open-source technologies. To manage the life cycle of Tanzu Kubernetes Grid clusters, the Cluster API is used, Velero is used for backups and restores, Sonobuoy is used to control the compliance of the configuration of Kubernetes clusters and Contour as an ingress controller.
The general list of Tanzu Mission Control features looks like this:
- centralized management of all your Kubernetes clusters;
- identity and access management (IAM);
- diagnostics and monitoring of the state of clusters;
- configuration and security settings management;
- scheduling regular cluster health checks;
- backup and restore;
- quota management;
- visualized representation of resource utilization.
Why is it important
Tanzu Mission Control will help businesses meet the challenge of managing a large fleet of Kubernetes clusters located on-premises, in the cloud, and across multiple third-party providers. Sooner or later, any company whose activities are tied to IT is forced to maintain many heterogeneous clusters located at different providers. Each cluster becomes a snowball that needs a competent organization, appropriate infrastructure, policies, protection, monitoring systems and much more.
Nowadays, any business seeks to reduce costs and automate routine processes. And the complex IT landscape is clearly not conducive to saving and concentrating on priority tasks. Tanzu Mission Control gives organizations the ability to work with multiple Kubernetes clusters deployed across multiple providers while harmonizing the operating model.
Solution architecture
Tanzu Mission Control is a multi-tenant platform that gives users access to a set of highly customizable policies that can be applied to Kubernetes clusters and cluster groups. Each user is tied to the Organization, it is she who is the "root" of resources - cluster groups and workspaces (Workspaces).
What Tanzu Mission Control Can Do
Above, we have already briefly listed the list of solution functions. Let's see how it is implemented in the interface.
A single view of all Kubernetes clusters in an enterprise:
Creating a new cluster:
You can immediately assign a group to a cluster, and it will inherit the policies set for it.
Cluster connection:
Already existing clusters can simply be connected using a special agent.
Cluster grouping:
In Cluster groups, you can group clusters to inherit assigned policies immediately at the group level, without manual intervention.
Workspaces:
Gives you the ability to flexibly configure access to an application that is located within multiple namespaces, clusters, and cloud infrastructures.
Let's take a closer look at the principles of operation of Tanzu Mission Control in laboratory work.
Lab #1
Of course, it is rather difficult to imagine in detail the work of Mission Control and new Tanzu solutions without practice. In order for you to explore the main features of the line, VMware provides access to several laboratory stands. On these stands, you can perform laboratory work using step-by-step instructions. In addition to the actual Tanzu Mission Control, other solutions are available for testing and studying. For a complete list of labs, see .
For practical acquaintance with various solutions (including a small "game" on vSAN), different times are allotted. Don't worry, these are very arbitrary figures. For example, a Tanzu Mission Control lab can be “solved” up to 9 and a half hours when passing from home. In addition, even if the timer runs out, you can go back and go through everything again.
Walkthrough Lab #1
You will need a VMware account to access the labs. After authorization, a pop-up window will open with the main canvas of the work. Detailed instructions will be placed on the right side of the screen.
After reading a short introduction about Tanzu, you will be asked to practice in an interactive Mission Control simulation.
A new windows machine popup window will open and you will be prompted to perform a few basic operations:
- create a cluster
- configure its basic settings
- refresh the page and make sure everything is set up correctly
- set policies and check the cluster
- create a workspace
- create a namespace
- work with policies again, each step is explained in detail in the manual
- demo cluster upgrade
Of course, interactive simulation does not provide enough freedom for self-study: you move along the rails laid out in advance by the developers.
Lab #2
Here we are already dealing with something more serious. This lab is not as rail-bound as the previous lab and needs to be studied more carefully. We will not present it in its entirety here: for the sake of saving your time, we will analyze only the second module, the first is devoted to the theoretical aspect of the work of Tanzu Mission Control. If you wish, you can go through it completely on your own. This module invites us to dive into cluster lifecycle management through Tanzu Mission Control.
Note: Tanzu Mission Control labs are regularly updated and refined. If any of the screens or steps differ from those shown below as you work through the lab, follow the instructions on the right side of the screen. We will go through the current version of the LR at the time of writing and consider its key elements.
Walkthrough Lab #2
After the authorization process in VMware Cloud Services, we launch Tanzu Mission Control.
The first step suggested by the lab is to deploy a Kubernetes cluster. First we need to access the Ubuntu VM using PuTTY. Run the utility and select a session with Ubuntu.
Execute three commands in turn:
- cluster creation:
kind create cluster --config 3node.yaml --name=hol - downloading the KUBECONFIG file:
export KUBECONFIG="$(kind get kubeconfig-path --name="hol")" - node output:
kubectl get nodes
Now the cluster we created needs to be added to Tanzu Mission Control. From PuTTY we return to Chrome, go to Clusters and click ATTACH CLUSTER.
Select a group from the drop down menu default, enter the name proposed by the laba and press REGISTER.
Copy the received command and go to PuTTY.
We execute the received command.
To track progress, run another command: watch kubectl get pods -n vmware-system-tmc. We wait until all containers have a status Running or Completed.
We return to Tanzu Mission Control and press VERIFY CONNECTION. If everything went well, the indicators of all checks should be green.
Now let's create a new cluster group and deploy a new cluster there. Go to Cluster groups and click NEW CLUSTER GROUP. Enter a name and click CREATE.
The new group should immediately appear in the list.
Let's deploy a new cluster: go to clusterspush NEW CLUSTER and select the option associated with the lab.
Let's add the name of the cluster, select the group assigned to it - in our case, hands-on-labs - and the deployment region.
When creating a cluster, other options are available, but it makes no sense to change them when passing the laboratory. Select the desired configuration, click Next.
Some parameters need to be edited, to do this, click Edit.
Let's increase the number of working nodes to two, save the parameters and click CREATE.
In the process, you will see such a progress bar.
After a successful deployment, you will have such a picture. All checks must be green.
Now we need to download the KUBECONFIG file in order to manage the cluster using the standard kubectl commands. This can be done directly through the Tanzu Mission Control user interface. Download the file and proceed to download Tanzu Mission Control CLI by pressing click here.
Select the desired version and download the CLI.
Now we need to get the API Token. To do this, go to My Account and generate a new token.
Fill in the fields and click GENERATE.
Copy the resulting token and click CONTINUE. Open Power Shell and enter the tmc-login command, then the token that we received and copied in the previous step, and then Login Context Name. Choose info logs from the proposed, region and olympus-default as an ssh key.
Get namespaces:kubectl --kubeconfig=C:UsersAdministratorDownloadskubeconfig-aws-cluster.yml get namespaces.
We introduce kubectl --kubeconfig=C:UsersAdministratorDownloadskubeconfig-aws-cluster.yml get nodesto make sure all nodes are in status Ready.
Now in this cluster we have to deploy a small application. Let's make two deployments - coffee and tea - in the form of coffee-svc and tea-svc services, each of which launches different images - nginxdemos/hello and nginxdemos/hello:plain-text. This is done in the following way.
Through PowerShell go to downloads and find the file cafe-services.yaml.
Due to some changes in the API, we will have to update it.
Pod Security Policies are enabled by default. To run applications with privileges, you must bind an account.
We create a binding: kubectl --kubeconfig=kubeconfig-aws-cluster.yml create clusterrolebinding privileged-cluster-role-binding --clusterrole=vmware-system-tmc-psp-privileged --group=system:authenticated
Deploy the application: kubectl --kubeconfig=kubeconfig-aws-cluster.yml apply -f cafe-services.yaml
We check: kubectl --kubeconfig=kubeconfig-aws-cluster.yml get pods
Module 2 is over, you are beautiful and amazing! We advise you to go through the remaining modules, including policy management and compliance checks, on your own.
If you would like to complete this lab in its entirety, you can find it here . And we will move on to the final part of the article. Let's talk about what we managed to look at, draw the first accurate conclusions and say in detail what Tanzu Mission Control is in relation to real business processes.
Opinions and conclusions
Of course, it's too early to talk about practical issues of working with Tanzu. There are not so many materials for self-study, and today it is not possible to deploy a test stand to “poke” a new product from all sides. Nevertheless, even from the available data, certain conclusions can be drawn.
Benefits of Tanzu Mission Control
The system came out really interesting. Immediately I want to highlight a few convenient and useful goodies:
- You can create clusters through the web panel and through the console, which developers will really like.
- RBAC management through workspaces is implemented in the user interface. It doesn’t work in the lab yet, but in theory it’s a great thing.
- Template-based centralized privilege management
- Full access to namespaces.
- YAML editor.
- Create network policies.
- Cluster health monitoring.
- Ability to backup and restore through the console.
- Quota and resource management with visualization of actual utilization.
- Automatic launch of cluster inspection.
Again, many components are currently under development, so it's too early to fully talk about the pros and cons of some tools. By the way, Tanzu MC, based on the demonstration, can upgrade the cluster on the fly and generally provide the entire life cycle of the cluster at once from many providers.
Here are some "high-level" examples.
To a foreign cluster with its charter
Let's say you have a development team with clearly defined roles and responsibilities. Everyone is busy with their own business and should not even accidentally interfere with the work of colleagues. Or the team has one or more less experienced specialists to whom you do not want to give extra rights and freedoms. Let's also assume that you have Kubernetes from three providers at once. Accordingly, in order to limit the rights and bring them to a common denominator, you will have to go into each control panel one by one and write everything down manually. Agree, not the most productive pastime. And the more resources you have, the more tedious the process. Tanzu Mission Control will allow you to manage the differentiation of roles from a "single window". In our opinion, a very convenient feature: no one will break anything if you accidentally forget to specify the necessary rights somewhere.
By the way, our colleagues from MTS in their blog Kubernetes from the vendor and open source. If you have long wanted to know what are the differences and what to look for when choosing - welcome.
Compact work with logs
Another example from real life is working with logs. Suppose the team also has a tester. One fine day, he comes to the developers and announces: “a bug has been found in the application, we urgently fix it.” It is natural that the first thing a developer wants to get acquainted with is the logs. Sending them in files via email or Telegram is bad manners and the last century. Mission Control offers an alternative: you can give the developer special rights so that they can only read logs in a specific namespace. In this case, it is enough for the tester to say: “there are bugs in such and such an application, in such and such a field, in such and such a namespace”, and the developer will easily open the logs and be able to localize the problem. And due to limited rights, it won’t help to fix it right away if the competence does not allow it.
Healthy application in a healthy cluster
Another great feature of Tanzu MC is cluster health tracking. Judging by the preliminary materials, the system allows you to view some statistics. At the moment it is difficult to say exactly how detailed this information will be: so far everything looks quite modest and simple. There is monitoring of CPU and RAM load, the statuses of all components are shown. But even in such a Spartan form, this is a very useful and effective detail.
Results
Of course, in the laboratory representation of Mission Control, in seemingly sterile conditions, some roughness is observed. You yourself will probably notice them if you decide to go through the work. Some points were not made intuitively enough - even an experienced administrator will have to read the manual to understand the interface and its capabilities.
Nevertheless, given the complexity of the product, its importance and the role that it has to play in the market, it turned out cool. It is felt that the creators tried to establish the user's workflow. Make each control as functional and understandable as possible.
It remains only to try Tanzu on a test bench to really understand all its pros, cons and innovations. As soon as we have such an opportunity, we will share with the readers of Habr a detailed report on working with the product.
Source: habr.com