Once you have deployed your management cluster, you can deploy additional CNCF conformant Kubernetes clusters and manage their full lifecycle. These clusters are designed to run your application workloads, managed via your management cluster. These clusters canrun different Kubernetes versions as required. These clusters use Antrea networking by default.
These types of clusters are also referred to as “workload” clusters, or “guest” clusters, with the latter typically referring to the Tanzu Kubernetes Grid Service running in vSphere.
Deploying a Guest Cluster
Login to your Tanzu environment Management Cluster with the following:
Alternatively, we can use the existing YAML file in our ~/.tanzu/tkg/clusterconfigs folder used for the management cluster deployment and change a few settings to make it ready for our workload guest cluster.
This was my preferred method as it contained all my Azure settings already.
#Find existing cluster config file
ls -lh ~/.tanzu/tkg/clusterconfigs/
#Copy file to a new config
cp ~/.tanzu/tkg/clusterconfigs/6x4hl1wy8o.yaml tanzu-veducate-guest-azure.yaml
# Edit file = CLUSTER_NAME
# Workload cluster names must be 42 characters or less.
When you deploy you’re OVA you’ll be asked to configure the below highlighted settings, by default we input a rule of 0.0.0.0/0 meaning any FAHControl node can connect (using the correct password). You can alter this for your local subnets.
Configuring Access to your Linux based clients or directly on the VMware [email protected] Appliance
On your Linux machines or deployed OVAs
Connect via SSH
Edit the config.xml file
Insert the following code to enable FAHControl access
From within vi press ‘i’ to enter insert mode
To configure a single address to access your client
Without a password against a single IP restriction
<!-- Remote Command Server -->
<command-allow-no-pass v='127.0.0.1 192.168.200.10' />
Without either a password or IP restriction
<!-- Remote Command Server -->
<command-allow-no-pass v='127.0.0.1 0.0.0.0/0' />
Connecting FAHControl to your clients
Open your FAHControl and click Add
Enter the name of your client as you would like it to be displayed, the IP address of your client and your password if necessary, and click save
You should now see your client is connected in FAHControl.
Troubleshooting FAHControl issues
FAHControl uses the default TCP Port 36330
Test access with telnet you should get a response as below.
The VMware Appliance for [email protected] has IPTables configured to allow this port by default, if you did not specify a specific remote management address during deployment, then access is open to all IP addresses.
Ensure that the machine where you are running FAHControl is not blocking outbound connections to TCP 33630.
The below firewall rules have been added to the VMware Appliance for [email protected] by default to allow for FAHControl to remotely manage FAHClient.
If you are using these instructions for a Linux machine, you can use the below settings as well.
So I’ve just had the pleasure of deploying Trend Deep Security via the Agent-less method, utilizing the NSX free license which allows guest introspection, but no other features.
Starting in NSX 6.2.3, the default license upon install will be NSX for vShield Endpoint. This license enables use of NSX for deploying and managing vShield Endpoint for anti-virus offload capability only, and has hard enforcement to restrict usage of VXLAN, firewall, and Edge services, by blocking host preparation and creation of NSX Edges.
With the basic Deep Security License you get the following coverage;
Web Reputation Service
However upon deploying Trend and jumping through the various hoops. (flakey support for NSX free license). You will find that you have multiple errors showing against your VM’s.