You can use the SDDC Manager in Cloud Foundation on VxRail to deploy a workload domain that will support Tanzu. Tanzu is a full distribution of the open-source Kubernetes container orchestration software that is packaged, signed, and supported by VMware. SDDC Manager will perform the configuration of the workload domain to support a Kubernetes supervisor cluster, and enable all the underlying services to support namespaces on the workload domain resources.

Under this environment, the supervisor cluster uses the services enabled in vSphere to support Kubernetes, and uses the resources provided by the ESXi hosts as worker nodes instead of Linux hosts.

Figure 59.    Tanzu Kubernetes services on VI Workload Domain

To prepare for the deployment of a vSphere for Tanzu workload domain using Cloud Foundation on VxRail, ensure that there are enough resources on the planned workload domain to support the planned workload. The Tanzu Kubernetes Grid Service deploys a baseline of virtual appliances on the supervisor cluster to spurt management activities from a vCenter perspective, which include the creation of namespaces for DevOps. It will also deploy a pair of NSX-T edge appliances to enable connectivity upstream to the NSX-T tier-0 gateway. In addition, each time a namespace is configured by the vSphere administrator, a set of control plane virtual appliances are deployed to enable management access. The table in Error! Reference source not found. should be used to reserve resources in the supervisor cluster to support management overhead.

Figure 60.    vSphere for Tanzu workload domain management components

As part of the deployment process, SDDC Manager will configure a workload network to support connectivity to the Tanzu supervisor cluster, deploy NSX-T load balancers to separate the external and internal networks within the cluster, and deploy an NSX-T tier-1 gateway for ingress and egress access. NAT rules will also be established in NSX-T to enforce the separation the public and private networks.

Figure 61.    Rules for supervisor cluster networks

The routable management network connects the management components in the supervisor cluster to vCenter, while the workload network uses NSX-T to support traffic to the Kubernetes APIs and to the pods created within the namespaces.

A set of IP address ranges must be reserved for usage by the vSphere for Tanzu workload domain.

• A private IP address pool used to support pods and workloads in a namespace.
• A private IP address pool used by Kubernetes applications for service exposed within the namespace. This pool is assigned to the east-west load balancer within the supervisor cluster.
• A public IP address pool for exposing services outside of the supervisor cluster through the namespace load balancer. Each namespace will get an IP assigned to be used for a NAT rule for external access.
• A public IP address pool for NAT to use for traffic outside of the supervisor cluster