Kubernetes Persistent Volume (PV) Encryption with Native Key Provider in vSphere 8.0U3

Security is top of mind for most, if not all, of our customers these days. Many years ago, I wrote a blog post on how customers could encrypt Kubernetes Persistent Volumes with an external Key Provider. One of our customers recently reached out to me to ask if we had any plans to provide similar support with the Native Key Provider. As my focus has been in other areas recently, I reached out to our CSI engineering team for an update. I then found out that support was added in our most recent release, vSphere 8.0U3. While no changes we…

Data Services Manager 2.0 – Consumption Operator (Video)

This video highlights another interesting feature of Data Services Manager (DSM) 2.0, namely the Consumption Operator. This allows customers with existing Kubernetes deployments to request DSM to provision databases from these K8s clusters, without switching context to either the DSM Gateway API or DSM UI. The videos shows how to install the operator and enable bindings for both infrastructure policies and backup locations. These bindings mean that only those resources can be used by end-users or developers who wish to create databases using this method.

Getting Started with Data Services Manager 2.0 – Part 10: Consumption Operator

One of the common asks we get from customers on Data Services Manager (DSM) 2.0 is the following: “I already run Kubernetes. Is it possible to create databases from my existing Kubernetes clusters using DSM?”. The answer is Yes. We provide a piece of software called the DSM Consumption Operator. This installs on your local Kubernetes (K8s) cluster and allows admins or developers to request the creation of databases (PostgreSQL, MySQL). On receipt of this request, DSM provisions its own K8s cluster, and then provisions the database on top. Your admins or developers can then connect to the database and…

Data Services Manager 2.0 – Gateway API (Video)

This video will show the power of the Gateway API in Data Services Manager (DSM) 2.0. The Gateway API is a Kubernetes API for the creation, modification, query and deletion of DSM objects. There are two personas related to the Gateway API, the infrastructure admin and the DSM admin/user. The video shows how to retrieve the Kubernetes configuration file (kubeconfig) for each of the personas. It also shows how to use the gateway API to create infrastructure components such as an IP Pool, a VM Class and an Infrastructure Policy. The gateway API is a great tool for those administrators…

Kubernetes for vSphere Admins – part of the June 2023 VMware User Group Global Virtual Event series

This session was selected by the VMware User Group (VMUG) for their Global Virtual Event which was held on June 27, 2023. As part of the session, some of the fundamentals of Kubernetes (K8s) are discussed. The talk then moves onto areas where vSphere Administrators can begin to onboard with Kubernetes, particularly when K8s control plane and worker nodes are deployed as a set of virtual machines on top of vSphere infrastructure. The two areas which are discussed in significant detail are the external Load Balancers and the vSphere CSI driver. The talk examines the options for different Load Balancers…

Why do I get “Error from server (Forbidden)” in vSphere with Tanzu

I’ve seen a number of queries around the behaviour of vSphere with Tanzu when it comes to querying Kubernetes objects on the Supervisor Cluster. More often than not, it is a question which arises when a user get an error similar to the following: Error from server (Forbidden): wcpnamespaces.appplatform.wcp.vmware.com is forbidden: \ User “sso:Administrator@vsphere.local” cannot list resource “wcpnamespaces” in API group \ “appplatform.wcp.vmware.com” in the namespace “cormac-ns” The reason for these errors is because the Supervisor Cluster is not treated as a general purpose Kubernetes cluster. The predominant role of the Supervisor Cluster is to provide services, such as the…

vSphere with Tanzu – Secure TKC login with Pinniped Preview

Following on from last week’s preview of multi-AZ in vSphere with Tanzu available in vSphere 8.0, I now turn my attention to another great feature. In this post, I will preview the new Pinniped integration to provide an easy and secure login to Tanzu Kubernetes clusters. I’ve discussed Pinniped a number of times on this site, but those previous posts relate to standalone TKG clusters (often referred to as TKGm). However, with vSphere 8.0, vSphere with Tanzu also has Pinniped integration. In a nutshell, vSphere Administrators can now federate an external Identity Provider (IDP) with the Supervisor cluster. This means…