VMware Tanzu Mission Control (TMC) is a conformant Kubernetes lifecycle management solution that supports different functions like Cluster provisioning, backup, inspection, policy management and many more.
In this blog post, I will help you to understand about Cluster Inspection. It is one of the TMC feature that you can use either from TMC GUI or CLI or API and trigger a predefined inspection rules. As of today, TMC supports three inspection rules:
- The Conformance inspection validates the binaries running on your cluster and ensures that your cluster is properly installed, configured, and working. You can view the generated report from within Tanzu Mission Control to assess and address any issues that arise. For more information, see the Kubernetes Conformance documentation at https://github.com/cncf/k8s-conformance/tree/master/docs.
- The CIS benchmark inspection evaluates your cluster against the CIS Benchmark for Kubernetes published by the Center for Internet Security. This inspection type is available in Tanzu Mission Control only if you are using Tanzu Advanced Edition.
- The Lite inspection is a node conformance test that validates whether nodes meet requirements for Kubernetes. For more information, see Validate node setup in the Kubernetes documentation.
Pre-requirement for running an Inspection
- Cluster is onboarded (either attached or provisioned)
Steps to run a Cluster Inspection
As I mentioned above, there are multiple ways to trigger an inspection against a Kubernetes Cluster.
Running an Inspection from TMC UI
- Login to TMC console
- Click on Clusters option from the left navigation menu and click on a cluster name then click Inspections tab
- Click Run Inspection and select the inspection you want to run.
- Once you click on the inspection type, It will start the inspection and you can monitor the progress on the UI.
- Once the test is completed, you can click on the Result and it will display the test ran.
- Similarly, If i click on the Conformance test, you will see many tests was ran.
- It’s important to understand that, in case you are provisioning a cluster from TMC, it ensures that the cluster provisioned is CIS compliant and CNCF conformant. That’s really a great part of TMC and TKG together.
- In case you are looking to execute a similar test using
tmc cliyou can use the following command after tmc cli is installed and configured.
❯ tmc cluster inspection scan create --inspection-type LITE --cluster-name tkgonazure --management-cluster-name dt-tkg-on-azure --provisioner-name default i using template "default" √ scan "24707a53-9bae-4ca0-a52c-ab2a252961e0" is being created
- If you want to list the total number or inspection ran against a cluster, use the following command.
- To know more about a particular scan using
tmc cli, run the following command.
tmc cluster inspection scan get 43a6c12f-ecad-4531-a7f7-162c55712885 --cluster-name tkgonazure --management-cluster-name dt-tkg-on-azure --provisioner-name default
Here are more resources for your reference: