After spending some time watching, digesting and then writing about Project Pacific Deep Dive updates from VMworld 2019, the next item on my to-do list was to get up to speed on VMware Tanzu, or to be more specific, Tanzu Mission Control. The reason I am being more specific is that VMware Tanzu is a broad portfolio of products and features which can be categorized into 3 distinct areas. These areas are Build, Run and Manage. The Build category related to initiatives taking place in the developer space, notably with Bitnami and Pivotal, the former having recently been acquired by VMware, whilst the latter is soon to be acquired by VMware, all going well. Run is all about running Kubernetes (K8s) on vSphere, primarily through Enterprise PKS or on Project Pacific (when it becomes available). But I wanted to focus on the Manage category. And this is where Tanzu Mission Control comes in.
I watched a number of VMworld 2019 sessions on Tanzu, and I guess for me the key point was made by Craig McLuckie. Craig made the point (I’m paraphrasing here) that while Kubernetes is a very powerful, production ready platform, it is still a young technology and it is still evolving from a resource management perspective. For that reason, we are not yet at the stage where we can consolidate everything into a single Kubernetes cluster. Thus we are seeing a lot of Kubernetes cluster fragmentation within organizations. Not only are we seeing multiple teams in the same organization creating and deploying applications on their own Kubernetes clusters, but indeed they are deploying these clusters onto different clouds. There are many reasons for this, some related to geography, some related to security, and others related to politics (e.g. GDPR). This fragmentation is causing significant management overhead for the operations teams. In many cases, they are having to manage K8s clusters on an individual basis, configuring permissions/access, networking and security cluster by cluster – this is unsustainable.
This is where Tanzu Mission Control is positioned – it is a single control point for managing K8s across multiple teams and clouds, providing visibility and control over the environments for IT Ops teams, whilst at the same time not constraining or hindering the developer teams.
On a number of sessions that I watched, Eryn Muetzel gave a demonstration of the planned Tanzu Mission Control capabilities. She highlighted a number of features, such as:
- Ability to deploy K8s clusters directly from Tanzu Mission Control. Whilst the demo showed the deployment of K8s clusters on AWS, she did say that plans were underway to do the same thing with Project Pacific.
- Ability to attach existing K8s clusters to Tanzu Mission Control. This is achieved by installing an agent in the remote K8s cluster, which then provides a secure connection back to Tanzu Mission Control. This means that existing K8s clusters can also be managed by Tanzu MC, even if Tanzu MC did not provision that cluster.
- Cluster Groups enable new clusters to inherit policies at a group level, rather than having to add policies individually to each cluster.
- Workspaces provides the ability to apply access controls to an application that resides in multiple different namespaces, in different clusters on different clouds. This feature provides for the consistent deployment of an application (permission, security, configuration) across different clusters and clouds.
Provisioning a K8s Cluster from Tanzu Mission Control
Eryn showed up the steps involved in provisioning a K8s cluster on AWS from Tanzu Mission Control. She began by providing us with an overview of all the different clusters (AKS from Azure, GKE from Google, PKS from VMware and EKS from Amazon) currently being managed by the Tanzu MC instance in her environment.
She then proceeded to build a new EKS cluster on AWS, filling in some basic details as she went. Here you can see where one could add a Cluster Group to enable this cluster to inherit existing policies that are already associated with the group. This part of Kubernetes is hugely challenging for many organizations as they build out clusters – adding the correct privileges on a cluster by cluster basis becomes a tedious and time consuming operation. Tanzu Mission Control solves this through Cluster Groups.
As Eryn continued with the cluster configuration, we saw the difference between a development cluster and a production cluster (number of control plane nodes and worker nodes) as well as the ability to choose the size of a node. We could also add various labels, which are used extensively throughout Kubernetes. This would help us to easily identify our cluster when we start deploying clusters at scale. Once the cluster was deployed, we were able to see some basic health check information (Components, Agent and Inspection) related to the cluster, as shown here:
She also showed us the nodes view, and how Tanzu Mission Control could be used to drill down into the heath and operations of individual parts of the infrastructure. On an individual worker node, we could see the details about the Kubernetes (kubelet) version, the container run-time and version, and conditions such as memory and disk pressure. And of course, all the Pods running on the worker node were also listed:
So, to conclude, consider managing Kubernetes at scale. Consider managing not only 10s-100s of K8s clusters but also many 1000s of developers!!! This is what Tanzu Mission Control does. It is automating, though policies, many of the tasks that IT operations have to do today when it comes to managing Kubernetes, as well as giving the IT operations team visibility into their whole Kubernetes environment.
Tanzu Mission Control futures
Eryn highlighted that today, Tanzu Mission Control is focused primarily on access control/permissions policies. Going forward the plan is to extend policies to area like the image registry, networking, pod security, quotas and so on. She then shared with us an overview of future plans, which are shown in the diagram below.
For Identity and Access Management, this is basically focused on centralized authentication of K8s clusters. The Security and Configuration initiatives are two-fold: (1) provide the right insights to verify that your clusters are configured and secure, and (2) apply policies so that certain things are not allowed to happen in the cluster, e.g. deployment of privileged containers. The last area that Eryn spoke about was Observability and Diagnostics which is concerned with providing the right high level of health information to see what is going on at the fleet level (fleet == large scale K8s deployments). This will be achieved by building integrations into products such Wavefront (and others) over time.
Of course, there is one thing in the VMware Mission Control futures section which definitely piqued my interest, which is Data Protection. Whilst Eryn did not go into that in any detail during the VMworld 2019 sessions that I watched, it is an area I am going to keep my eye on going forward.
If you are interested in watching the full sessions on Tanzu Mission Control from VMworld 2019, these are the sessions that I watched to gather the above information: