
What is Tanzu Kubernetes Grid Cluster?
TKG Cluster is a VMware opinionated production ready Kubernetes cluster that can run across hybrid multicloud environment.
Read more detail here:
https://tanzu.vmware.com/kubernetes-grid
What is Tanzu Service Mesh?
VMware Tanzu Service Mesh, is a service mesh solution from VMware that provides consistent control and security for microservices running across multicloud environment. Currently Tanzu Service Mesh is offered as a Service from VMware.
Read more detail here:
https://tanzu.vmware.com/kubernetes-grid
TKG Cluster on-boarding Pre-requirements
Technical Pre-requirements
In order to on-board a TKG cluster on TSM, there are different requirements e.g. TKG version, resource availability on worker nodes, network connectivity etc should be met. Those requirements are very well documented in link below.
https://tanzu.vmware.com/kubernetes-grid
Access Requirement
Tanzu Service Mesh is offered as a Service solution from VMware and it’s access can be validated from VMware Cloud Service portal. Follow the below steps:
1. Login to https://console.cloud.vmware.com/
2. On My Services Page, You will find Tanzu Service Mesh is listed.
On-boarding TKG Cluster on Tanzu Service Mesh Steps
- Click on the VMware Tanzu Service Mesh tile shown under My Services on VMware Cloud Service portal. This will redirect you to Tanzu Service Mesh portal.
Note: If you see 400 Bad Request, try opening in Incognito Window.

2. Once it is opened, You will see portal like below.

In my case, there are no cluster on-boarded yet. Let’s start TKG Cluster on-boarding.
3. Click on ADD NEW in left corner. It will give you different options. Click on Onboard New Cluster.

4. Enter the Cluster Name and Click on “GENERATE SECURITY TOKEN” button.

Note: Cluster name provided here need not be same as TKG Cluster name
5. After clicking on Generate Security Token button, Next step will be highlighted with token filled in.

6. Copy both and apply them on your TKG cluster.
$ kubectl apply -f <copy above link>
namespace/vmware-system-tsm created
customresourcedefinition.apiextensions.k8s.io/tsmclusters.tsm.vmware.com unchanged
customresourcedefinition.apiextensions.k8s.io/clusterhealths.client.cluster.tsm.tanzu.vmware.com configured
configmap/tsm-agent-operator created
serviceaccount/operator--srv-acnt created
clusterrolebinding.rbac.authorization.k8s.io/operator-cluster-admin-rb configured
deployment.apps/tsm-agent-operator created
serviceaccount/operator-ecr-read-only--service-account created
secret/operator-ecr-read-only--aws-credentials created
role.rbac.authorization.k8s.io/operator-ecr-read-only--role created
rolebinding.rbac.authorization.k8s.io/operator-ecr-read-only--role-binding created
cronjob.batch/operator-ecr-read-only--renew-token created
job.batch/operator-ecr-read-only--renew-token created
$ kubectl -n vmware-system-tsm create secret generic cluster-token --from-literal=token=<token removed>
secret/cluster-token created
7. In few sec, you will notice that the next step is highlighted to install Tanzu Service Mesh.

Before we install, Let see what changes has already been made on TKG Cluster. You will see that the vmware-system-tsm namespace is created and there are few resource created too. e.g. below
$ k get ns
NAME STATUS AGE
adminspace Active 7d17h
cert-manager Active 16d
controller-my-tkg-controller Active 7d18h
default Active 54d
kube-node-lease Active 54d
kube-public Active 54d
kube-system Active 54d
tanzu-system-ingress Active 54d
tkg-system Active 54d
vmware-system-auth Active 54d
vmware-system-cloud-provider Active 54d
vmware-system-csi Active 54d
vmware-system-tsm Active 2m30s
$ k get all -n vmware-system-tsm
NAME READY STATUS RESTARTS AGE
pod/allspark-ws-proxy-84f46b6c7b-h9hv7 1/1 Running 0 2m15s
pod/k8s-cluster-manager-7f65f4597c-jpxpq 1/1 Running 0 2m15s
pod/operator-ecr-read-only--renew-token-2qb5h 0/1 Completed 0 2m36s
pod/tsm-agent-operator-84459cfdb8-r6qqh 1/1 Running 0 2m36s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/k8s-cluster-manager ClusterIP 10.106.18.113 <none> 40041/TCP 2m15s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/allspark-ws-proxy 1/1 1 1 2m15s
deployment.apps/k8s-cluster-manager 1/1 1 1 2m15s
deployment.apps/tsm-agent-operator 1/1 1 1 2m36s
NAME DESIRED CURRENT READY AGE
replicaset.apps/allspark-ws-proxy-84f46b6c7b 1 1 1 2m15s
replicaset.apps/k8s-cluster-manager-7f65f4597c 1 1 1 2m15s
replicaset.apps/tsm-agent-operator-84459cfdb8 1 1 1 2m36s
NAME COMPLETIONS DURATION AGE
job.batch/operator-ecr-read-only--renew-token 1/1 2s 2m36s
NAME SCHEDULE SUSPEND ACTIVE LAST SCHEDULE AGE
cronjob.batch/operator-ecr-read-only--renew-token 0 */8 * * * False 0 <none> 2m36s
8. You can select specific namespace if you need to exclude and then Click on Install Tanzu Service Mesh button.

9. Let’s notice the changes in TKG cluster.
List the namespace and you will see that the New namespace is created. List the pods being created inside this namespace too.
istio-system Active 13s
$ k get po -n istio-system
NAME READY STATUS RESTARTS AGE
allspark-telegraf-node-pjh2j 1/1 Running 0 7m40s
allspark-telegraf-node-s6fxt 1/1 Running 0 7m40s
allspark-telegraf-node-xszpj 1/1 Running 0 7m40s
istio-egressgateway-544d8dd96b-k4q9k 1/1 Running 0 9m10s
istio-egressgateway-544d8dd96b-qjlj8 1/1 Running 0 9m10s
istio-ingressgateway-55678bc575-b6v84 1/1 Running 0 9m10s
istio-ingressgateway-55678bc575-vnqdt 1/1 Running 0 9m10s
istio-telemetry-d564c59df-f97gh 2/2 Running 0 9m8s
istio-telemetry-d564c59df-vpqlv 2/2 Running 0 9m8s
istiocoredns-599c554d55-6zd77 2/2 Running 0 9m10s
istiocoredns-599c554d55-r77c6 2/2 Running 0 9m10s
istiod-bb6f7548-fw4fn 1/1 Running 0 9m27s
istiod-bb6f7548-vs9f9 1/1 Running 0 9m27s
10. Wait for sometime and above step will take take around 3–4 mins. Keep watching the resource deployment under istio-system namespace.
11. After few mins, you will see that the cluster onboarding is successful.

12. Click on EXIT TO CONSOLE button. You will see the newly onboarded cluster is listed.

So, our TKG Cluster is onboaded successfully. In the next post, i will talk about different concepts of TSM e.g. Global Namespace, SLO etc. and how to use them.
Resources
I found this video very helpful, watch it once.
Refer VMware Documentation for more detail