Caution: there are a lot of images under the cut.
What is Mission Control
As the company says in a blog post, VMware Tanzu Mission Control's primary goal is to "bring order to cluster chaos." Mission Control is an API-driven platform that enables administrators to apply policies to clusters or cluster groups and set security rules. SaaS-based tools integrate securely into Kubernetes clusters via an agent and support a wide range of standard cluster operations, including lifecycle management operations (deployment, scaling, deletion, etc.).
The ideology of the Tanzu line is based on the maximum use of open-source technologies. The Cluster API is used to manage the lifecycle of Tanzu Kubernetes Grid clusters, Velero is used for backups and restores, Sonobuoy is used to control the correspondence of the configuration of Kubernetes and Contour clusters as an ingress controller.
The general list of Tanzu Mission Control functions looks like this:
- centralized management of all your Kubernetes clusters;
- Identity and Access Management (IAM);
- diagnostics and monitoring of the state of clusters;
- management of configuration and security settings;
- scheduling regular checks on the status of the cluster;
- creation of backups and recovery;
- quota management;
- a visualized representation of resource utilization.
Why is it important
Tanzu Mission Control helps businesses manage a large fleet of Kubernetes clusters located on-premises, in the cloud, and with multiple third-party providers. Sooner or later, any company whose activities are tied to IT is forced to maintain many heterogeneous clusters located at different providers. Each cluster turns into a snowball that needs a competent organization, the appropriate infrastructure, policies, protection, monitoring systems and much more.
Nowadays, any business seeks to reduce costs and automate routine processes. And the complex IT landscape is clearly not conducive to savings and focus on priority tasks. Tanzu Mission Control empowers organizations to work with multiple Kubernetes clusters deployed across multiple providers while harmonizing the operating model.
Solution architecture
Tanzu Mission Control is a multi-tenant platform that gives users access to a set of highly customizable policies that can be applied to clusters and groups of Kubernetes clusters. Each user is tied to the Organization, it is she who is the "root" of resources - groups of clusters and workspaces (Workspaces).
What Tanzu Mission Control Can Do
Above, we have already briefly listed the list of solution functions. Let's see how this is implemented in the interface.
A single view of all Kubernetes clusters in an enterprise:
Create a new cluster:
You can immediately assign a group to a cluster, and it will inherit the policies set to it.
Cluster connection:
Already existing clusters can be simply connected using a special agent.
Cluster grouping:
In Cluster groups, you can group clusters to inherit assigned policies at the group level, without manual intervention.
Workspaces:
Provides the ability to flexibly configure access to an application that is located within multiple namespaces, clusters and cloud infrastructures.
Let's take a closer look at the principles of Tanzu Mission Control in laboratory work.
Lab # 1
Of course, it is quite difficult to imagine in detail the work of Mission Control and the new Tanzu solutions without practice. In order for you to explore the main features of the line, VMware provides access to several laboratory stands. On these benches, you can perform laboratory work using step-by-step instructions. Besides Tanzu Mission Control itself, other solutions are available for testing and study. A complete list of laboratory work can be found on this page .
Different times are allocated for practical familiarization with different solutions (including a little vSAN โgameโ). Don't worry, these are very relative numbers. For example, a Tanzu Mission Control lab can be โsolvedโ for up to 9 and a half hours when passing from home. In addition, even if the timer expires, you can go back and go all over again.
Passage of laboratory work # 1
VMware. . .
Tanzu Mission Control.
windows-, :
, : .
Tanzu Mission Control.
windows-, :
- ,
- ,
- -
, : .
Lab # 2
Here we are already dealing with something more serious. This laboratory work is not so tied to the "rails" as the previous one and requires more careful study. We will not cite it here in its entirety: in order to save your time, we will analyze only the second module, the first is devoted to the theoretical aspect of Tanzu Mission Control. If you wish, you can complete it yourself. This module invites us to dive into cluster lifecycle management through Tanzu Mission Control.
Note: Tanzu Mission Control labs are regularly updated and refined. If you have any screens or steps different from the following while completing the lab, follow the directions on the right side of the screen. We will go through the current version of the LR at the time of this writing and consider its key elements.
Passage of laboratory work # 2
VMware Cloud Services, Tanzu Mission Control.
, , โ Kubernetes. Ubuntu PuTTY. Ubuntu.
:
Tanzu Mission Control. PuTTY Chrome, Clusters ATTACH CLUSTER.
โ default, REGISTER.
PuTTY.
.
:
Tanzu Mission Control VERIFY CONNECTION. , .
. Cluster groups NEW CLUSTER GROUP. CREATE.
.
: Clusters, NEW CLUSTER .
, โ hands-on-labs โ .
, . , Next.
, Edit.
, CREATE.
.
. .
KUBECONFIG, kubectl. Tanzu Mission Control. Tanzu Mission Control CLI click here.
CLI.
API Token. My Account .
GENERATE.
CONTINUE. Power Shell tmc-login, โ , , โ Login Context Name. info , olympus-default ssh-.
namespaces:
. โ coffee and tea โ coffee-svc tea-svc, โ nginxdemos/hello and nginxdemos/hello:plain-text. .
PowerShell cafe-services.yaml.
- API .
Pod Security Policies . .
:
:
:
2 , ! , .
, . . , , , Tanzu Mission Control -.
, , โ Kubernetes. Ubuntu PuTTY. Ubuntu.
:
- :
kind create cluster --config 3node.yaml --name=hol - KUBECONFIG-:
export KUBECONFIG="$(kind get kubeconfig-path --name="hol")" - :
kubectl get nodes
Tanzu Mission Control. PuTTY Chrome, Clusters ATTACH CLUSTER.
โ default, REGISTER.
PuTTY.
.
:
watch kubectl get pods -n vmware-system-tmc. , Running Completed.
Tanzu Mission Control VERIFY CONNECTION. , .
. Cluster groups NEW CLUSTER GROUP. CREATE.
.
: Clusters, NEW CLUSTER .
, โ hands-on-labs โ .
, . , Next.
, Edit.
, CREATE.
.
. .
KUBECONFIG, kubectl. Tanzu Mission Control. Tanzu Mission Control CLI click here.
CLI.
API Token. My Account .
GENERATE.
CONTINUE. Power Shell tmc-login, โ , , โ Login Context Name. info , olympus-default ssh-.
namespaces:
kubectl --kubeconfig=C:\Users\Administrator\Downloads\kubeconfig-aws-cluster.yml get namespaces.
kubectl --kubeconfig=C:\Users\Administrator\Downloads\kubeconfig-aws-cluster.yml get nodes, , Ready.
. โ coffee and tea โ coffee-svc tea-svc, โ nginxdemos/hello and nginxdemos/hello:plain-text. .
PowerShell cafe-services.yaml.
- API .
Pod Security Policies . .
:
kubectl --kubeconfig=kubeconfig-aws-cluster.yml create clusterrolebinding privileged-cluster-role-binding --clusterrole=vmware-system-tmc-psp-privileged --group=system:authenticated
:
kubectl --kubeconfig=kubeconfig-aws-cluster.yml apply -f cafe-services.yaml
:
kubectl --kubeconfig=kubeconfig-aws-cluster.yml get pods
2 , ! , .
, . . , , , Tanzu Mission Control -.
Opinions and conclusions
Of course, it's too early to talk about practical issues of working with Tanzu. There are not so many materials for independent study, and today it is not possible to deploy a test bench in order to "poke" a new product from all sides. Nevertheless, even from the available data, certain conclusions can be drawn.
Benefits of Tanzu Mission Control
The system came out really interesting. Immediately I would like to highlight a few convenient and useful buns:
- You can create clusters through the web panel and through the console, which developers will really like.
- RBAC management through workspaces is implemented in the user interface. Doesn't work in the lab yet, but in theory it's a great thing.
- Centralized privilege management based on templates
- Full access to namespaces.
- YAML editor.
- Creation of network policies.
- Cluster health monitoring.
- Console backup and restore capability.
- Quota and resource management with visualization of actual disposal.
- Automatic launch of cluster inspection.
Again, many components are currently being finalized, so it's too early to talk fully about the pros and cons of some tools. By the way, Tanzu MC, based on the demonstration, can upgrade the cluster on the fly and, in general, provide the entire life cycle of the cluster at once from many providers.
Here are some โhigh-levelโ examples.
Into someone else's cluster with its own charter
Let's say you have a development team with clearly defined roles and responsibilities. Everyone is busy with their own business and should not even accidentally interfere with the work of colleagues. Or, the team has one or more less experienced specialists to whom you do not want to give unnecessary rights and freedoms. Let's also assume that you have Kubernetes from three providers at once. Accordingly, in order to limit the rights and bring them to a common denominator, you will have to enter each control panel one by one and register everything manually. Agree, not the most productive pastime. And the more resources you have, the more dreary the process. Tanzu Mission Control will allow you to manage the delineation of roles from a "single window". In our opinion, this is a very convenient function: no one will break anything if you accidentally forget to specify the necessary rights somewhere.
By the way, our colleagues from MTS in their blog compared Kubernetes from the vendor and open source. If you have long wanted to know what are the differences and what to look at when choosing - welcome.
Compact work with logs
Another example from real life is working with logs. Suppose the team also has a tester. One fine day he comes to the developers and announces: "a bug has been found in the application, we will fix it urgently." Naturally, the first thing a developer wants to get acquainted with is the logs. Sending them in files via email or Telegram is bad manners and the last century. Mission Control offers an alternative: you can give the developer special rights so that they can only read the logs in a specific namespace. In this case, it is enough for a tester to say: โthere are bugs in such and such an application, in such and such a field, in such and such namespaceโ, and the developer will easily open the logs and be able to localize the problem. And due to limited rights, he will not immediately climb to fix it if the competence does not allow.
Healthy Cluster Healthy App
Another great feature of Tanzu MC is cluster health tracking. Judging by the preliminary materials, the system allows you to view some statistics. At the moment, it is difficult to say how detailed this information will be: so far, everything looks quite modest and simple. There is monitoring of the CPU and RAM utilization, the statuses of all components are shown. But even in this spartan form, it is a very useful and effective detail.
Outcome
Of course, in the laboratory representation of Mission Control, in seemingly sterile conditions, some roughness is observed. You yourself will probably notice them if you decide to go through the work. Some points are not made intuitively enough - even an experienced administrator will have to read the manual to understand the interface and its capabilities.
Nevertheless, given the complexity of the product, its importance and the role it will play in the market, it turned out cool. It feels like the creators tried to fix the user's workflow. Make each control as functional and understandable as possible.
It remains only to try Tanzu on a test bench in order to really understand all its pros, cons and innovations. As soon as such an opportunity presents itself to us, we will share with the readers of Habr a detailed report on working with the product.