Kubernetes on VMware: What are the Options?

Learn about different ways to run Kubernetes on VMware, including the vSphere Kubernetes integration and Tanzu Kubernetes Grid Integrated Edition (TKGI)

February 1, 2021

How Does Kubernetes Run on VMware?

Kubernetes is an open-source container orchestration platform that automates the management of containerized applications. VMware provides virtualization platforms used by a majority of enterprises. As containers become more popular, a growing requirement is to deploy containers and manage them alongside traditional virtual machines, on VMware infrastructure.

In 2019, VMware started supporting Kubernetes as part of its vSphere virtualization platform, which includes the ESXi hypervisor. It is now possible to run containers directly on ESXi, or use the Tanzu Kubernetes Grid platform to manage standard Kubernetes clusters, compatible with upstream Kubernetes development. Tanzu makes it possible to run Kubernetes in production, managing large numbers of Kubernetes clusters across VMware infrastructure, bare metal servers, and public clouds.

In this article, you will learn:

Running Kubernetes Alongside VMware Workloads

VMware vSphere is VMware’s flagship virtualization platform. Since version 7, vSphere fully supports Kubernetes. It it built to support developers, who are familiar with Kubernetes, and IT staff who are familiar with vSphere system constructs:

  • For developers, vSphere looks and acts like regular Kubernetes. They can use normal Kubernetes constructs and declarative configuration to request compute resources, storage, networking, and high availability. In the background, the requests are fulfilled via vSphere resources, but developers do not need to be aware of vSphere infrastructure.
  • For IT administrators, vSphere works exactly like in the past, only with new workload management capabilities. vSphere Admins can work with “namespaces”, which behave just like regular virtualized workloads, but are also visible within Kubernetes. This is how admins can manage the security, resources, and networking available to the Kubernetes environment.

How Does vSphere with Kubernetes Work?

vSphere has been deeply integrated with Kubernetes, by adding the Kubernetes APIs as a new control plane. This lets Kubernetes users consume services seamlessly from the VMware environment, just like they would in a public cloud. vSphere can now manage workloads consistently, whether they are containers, applications, or virtual machines.

The ESXi hypervisor, which is at the core of vSphere, now includes the Kubernetes API, as well as the Spherelet, a management agent based on the Kubernetes Kubelet. This lets the ESXi hypervisor act as a native Kubernetes node, which can join Kubernetes clusters. 

ESXi hosts can run containers directly on the hypervisor. This is made possible by a new container runtime called CRX, which is provided as part of vSphere. This approach does not require loading a full Linux guest OS, instead it uses a highly optimized Linux kernel and lightweight init process. 

Within Kubernetes, these containers can be accessed as part of a vSphere Pod Service. The vSphere Pod Service lets you run vSphere containers in Kubernetes, but they are not fully conformant Kubernetes clusters.

Supervisor vs. Guest Clusters

vSphere lets users run two types of Kubernetes clusters:

  • Supervisor cluster—a special kind of Kubernetes cluster that runs worker nodes directly on the ESXi hypervisor (not on Linux). Container workloads run in vSphere Pods, and offer the same security, high availability and performance of ESXi. However, a supervisor cluster is not a standard Kubernetes cluster, and cannot work seamlessly with existing Kubernetes deployments. 
  • Tanzu Kubernetes Cluster (guest cluster)—this is a cluster, based on VMware infrastructure, which is compatible with upstream Kubernetes. A Tanzu cluster runs on virtual machines, not vSphere Pods. It uses the open source Cluster API project, which uses the VM Operator to manage virtual machine workflows for the cluster.

Running Kubernetes in a Multi Cloud Environment with Tanzu Kubernetes Grid Integrated Edition (TKGI)

VMware Tanzu Kubernetes Grid Integrated Edition is a VMware platform that makes it possible to run Kubernetes on heterogeneous multi-cloud environments, including public clouds and on-premises VMware environments. It supports both day 1 (initial cluster deployment) and day 2 operations (patching, upgrades, and high availability).

The main goal of TKGI is to expose Kubernetes in standard form, making Tanzu clusters fully compatible with existing Kubernetes deployments and upstream Kuberntes development. Developers work with the native Kubernetes CLI and APIs just like if they were deploying Kubernetes locally or on a public cloud.  

The platform lets you deploy Kubernetes clusters on:

  • On-premises bare metal
  • OpenShift
  • On-premises VMware vSphere environments
  • Public clouds including Amazon, Microsoft Azure, and Google Cloud Platform, Amazon EC2, and Microsoft Azure

TKGI provides robust management tools, including Tanzu Mission Control, which manages Kubernetes clusters on one pane of glass, whether they reside on vSphere, PKS, OpenShift, or public cloud services. Mission Control also provides policies that govern user access, resource quotas, backups, and many other aspects of a cluster, in a unified way across clouds.

TKGI comes pre-integrated with a full stack of solutions, including:

Tanzu Kubernetes Grid Integrated Edition Features

Here are some of the key features of Tanzu Kubernetes Integrated Edition (formerly Enterprise PKS).

  • High availability—supports multi-AZ replication and multi-master etcd deployments. Monitors health of all underlying virtual machines and heals VMs upon failure. It manages rolling upgrades for fleets of Kubernetes clusters with no downtime. 
  • Persistent storage—supports both stateless and stateful applications. Provides both the vSphere Cloud Provider storage plugin and standard CSI storage, supporting Persistent Volumes (PV), Persistent Volume Claims (PVC), Storage Classes and Stateful Sets. All these constructs can be used to provision vSphere storage including vSAN.
  • Kubernetes lifecycle management—provides central control over the entire lifecycle of Kubernetes clusters running on bare metal, VMware vSphere or in the public cloud.
  • Unified access management—centralized management for cluster access, letting the organization define in one place which teams can access which clusters, as an added management layer above Active Directory groups.
  • Security and configuration management—defining security and network policies at scale across multiple clusters. Allows administrators to manage policies by grouping Kubernetes clusters together in workspaces, divided according to functional teams or development stages, and applying policies to all clusters in a group at once.

Related content: read our guide to Kubernetes security best practices ›

Tanzu Kubernetes Grid Integrated Edition vs Tanzu Kubernetes Grid

Alongside TKGI, VMware also provides Tanzu Kubernetes Grid (TKG). This is a separate offering with a deeper vSphere integration, but which is less suitable for multi-cloud deployment.

The following table summarizes three flavors of the VMware Tanzu platform.

Tanzu Kubernetes Grid Integrated Edition (TKGI)Formerly named Enterprise Pivotal Container Service (PKS). Primarily focused on integration of Kubernetes, BOSH for cluster lifecycle management, NSX-T for pod networking and load balancing, Harbor as a container registry, and the Docker engine (Docker-CE). 
Comes in three editions – Basic, Standard and Advanced
Tanzu Kubernetes Grid (TKG)Formerly called Essential Pivotal Container Service (PKS). Can run as part of vSphere deployments, or on AWS using EC2 compute instances. Also supports VMware Cloud Foundation (VCF) 3.9.x.
Tanzu Kubernetes Grid Service for vSphereAlso called TKS for VMware Cloud Foundation. The only supported Kubernetes option for vSphere 7 and VCF 4. Makes it possible to manage clusters using the vSphere WebClient.

Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links