In this article, I will walk through the steps involved in securing application Ingress access on TKG v1.4. To achieve this, I will use 2 packages that are available with TKG v1.4, Cert Manager and Contour. We will deploy a sample application kuard – Kubernetes Up and Running demo, and show how we can use these packages to automatically generated certificates to establish trust between our client (browser) and the application (kuard) which will be accessed via an Ingress. For the purposes of this article, I will create my own local Certificate Authority. If you have access to a valid…
In this post, I am going to show how I set up my Tanzu Kubernetes Grid management cluster using a proxy configuration. I suspect this may be something many readers might want to try at some point, for various reasons. I will add a caveat to say that I have done the bare minimum to get this configuration to work, so you will probably want to spend far more time than I did on tweaking and tuning the proxy configuration. At the end of the day, the purpose of this exercise is to show how a TKG bootstrap virtual machine…
Hopefully many readers will have seen yesterdays announcement around Tanzu Community Edition, or TCE for short. I mentioned the fact that there are numerous community packages available in this new, free, open sourced version of Tanzu Kubernetes. Package management in TCE is achieved through a suite of tools bundled under the Carvel brand. In this post, I am going to describe some of the nuances around the deployment of these packages in a TCE cluster. There are 3 package components that need to considered when dealing with packages in TCE. There are (1) the repository, (2) the package install resources…
As we head into VMworld 2021 this week, there will be many announcements about new and updated VMware products and features. However, there is one that I want to bring to your attention. It is something that I have been directly involved in, in some small way, and that something is Tanzu Community Edition. Tanzu Community Edition (sometimes referred to as TCE), is a free, open source Tanzu Kubernetes (TKG) distribution which has all of the same open source software found in our commercial editions of Tanzu. Personally, I find this to be a really cool announcement for a number…
A short video to demonstrate how network access to Kubernetes Persistent Volumes, that are backed by vSAN File Service file shares, can be controlled. This allows an administrator to determine who has read-write access and who has read-only access to a volume, based on the network from which they are accessing the volume. This involves modifying the configuration file of the vSphere CSI driver, as shown in the following demonstration. The root squash parameter can also be controlled using this method. This links to a more detailed step-by-step write-up on how to configure the CSI driver configuration file and control…
A short video to demonstrate how vSAN File Service file shares, which are used to back dynamically created Kubernetes read-write-many persistent volumes (PVs) have an implicit hard quota associated with them. Read-Write-Many (RXW) PVs are volumes which can be shared between multiple Kubernetes Pods. For more details about this feature, please check out this earlier blog post.
Last week I looked at how quotas were implicit on Kubernetes RWX Persistent Volumes which were instantiated on vSAN File Service file shares. This got me thinking about another feature of Kubernetes Persistent Volumes – how could some of the other parameters associated with file shares be controlled? In particular, I wanted to control which networks could access a volume, what access permissions were allowed from that network and whether we could squash root privileges when a root user accesses a volume? All of these options are configurable from the vSphere client and are very visible when creating file shares…