Confidential │ ©2020 VMware, Inc.
VMware Tanzu Introduction
Jig Sheth, VMware Tanzu Systems Engineer
Bob Bauer, VMware Tanzu Systems Engineer
John Grosshandler, VMware Tanzu Specialist
May 21, 2020

Confidential │ ©2020 VMware, Inc. 2

Confidential │ ©2020 VMware, Inc. 3
10:00-10:05 Introduction
10:05-10:15 VMware “Tanzu” Overview
10:15-10:50 vSphere 7 with Built-In Kubernetes
10:50-11:15 Centralized Kubernetes Management
11:15-11:30 Q&A
Agenda:

Confidential │ ©2020 VMware, Inc. 4
VMware’s Tanzu Modern Application Platform Business Unit includes
Pivotal, Heptio, Wavefront and Bitnami acquisitions
VMware now employs 2 of the 3 Kubernetes Co-Founders and is the
2nd leading contributor to Kubernetes, behind only Google
Tanzu is VMware’s #1 priority going forward
Jig and John are the Tanzu team working with each of the companies
on this call; email us for 1 on 1 follow-up conversations:
jgrosshandler@vmware.com
jsheth@vmware.com
Context:

Confidential │ ©2020 VMware, Inc. 5
Grubhub gift cards worth $50 will be awarded to each of 4 winners who
correctly answer the pop quizzes within the group chat window
(for customers only; max of one gift card per attendee)
All customer attendees will get Tanzu T-Shirts
We are recording this
Folks are muted, so post questions in the group chat
Housekeeping:

Confidential │ ©2020 VMware, Inc. 6
Grubhub $50 Quiz Question #1:
How many of the original 3 Co-Founders of
Kubernetes now work for VMware?

Confidential │ ©2019 VMware, Inc.
Tanzu Overview

Confidential │ ©2019 VMware, Inc. 8
VMware Tanzu portfolio: build, run and manage modern applications
Get great software into production faster
Spring
Tanzu
Application
Service
Tanzu Build
Service (beta)
Tanzu
Application
Catalog
VCF VMC Public Cloud
Tanzu Kubernetes Grid
VMwarePivotalLabsServices
Other Frameworks (.NET, etc.)
BUILD
RUN
MANAGE
Edge
| 04/06/20
TanzuMissionControl
TanzuObservability
byWavefront
TanzuServiceMesh
builtonVMwareNSX®
Tanzu Data
Services

Confidential │ ©2019 VMware, Inc. 9
BUILD
RUN
MANAGE
| 04/06/20
VMware Tanzu portfolio: build, run and manage modern applications
Get great software into production faster
Unified platform:
Run legacy apps and cloud native apps on
ONE platform that extends to any cloud
Multi-cluster
management:
Operate 1000s
of clusters as
easily as you
would 10s of
clusters
Path to production:
Get code to production 10x faster

Confidential │ ©2019 VMware, Inc. 10
Container Centric SDLC - Tanzu Products

Confidential │ ©2020 VMware, Inc. 11
Grubhub $50 Quiz Question #2:
Which Tanzu product provides centrally
managed and secure Kubernetes infrastructure
and visibility to your modern apps across
teams and clouds?

Confidential │ ©2019 VMware, Inc. 12
vSphere7 with Built-In
Kubernetes

Confidential │ ©2019 VMware, Inc. 13
Ubiquitous runtime built on open source technologies and deployed across clouds
Tanzu Kubernetes Grid
Tanzu Kubernetes Grid
Simplified installation Automated multi-cluster ops Integrated platform services
vSphere 7

Confidential │ ©2019 VMware, Inc. 14
vSphere 7 - User Experience
Separation of responsibility
Developer
IT Operator
vSphere
Supervisor Kubernetes Cluster
vCenter
ESXi Cluster Networking Storage
Kubernetes
cluster
Virtual
machines
Native
pods
AppThe developer is
responsible for managing
the lifecycle of their
Kubernetes clusters.
The IT Operator is
responsible for managing
the lifecycle of the
supervisor cluster.
These components should
be independently
upgradeable.

Confidential │ ©2019 VMware, Inc. 15
Using Kubernetes to manage workloads!
kind: VirtualMachine
apiVersion: vms.vmware.com/v1
metadata:
name: COTSapp
spec:
className: large
imageName: my-app.ova
powerState: poweredOn
policy:
restartPolicy: OnFailure
kind: HanaDatabase
apiVersion: hana.sap.com/v1
metadata:
name: ERP database
spec:
nodes: 3
class: extra-large
kind: KubernetesCluster
apiVersion: vks.vmware.com/v1
metadata:
name: My Application
spec:
topology:
workers:
count: 3
class: small
distribution: v1.15.1
kind: Pod
apiVersion: v1
metadata:
name: Function 1
spec:
containers:
- name: func1
image: func1
ports:
- containerPort: 80
VM App
VM
Database
VM
VM
VM
Kubernetes Cluster
Node Node Node
Control Plane
Native Pods
Function 1 Function 2
Function Function
k8s Native
Applications

Confidential │ ©2019 VMware, Inc. 16
Namespace
Namespaces as the unit of management
VM App
VM
Database
VM
VM
VM
Kubernetes Cluster
Node Node Node
Control Plane
Native Pods
Function 1 Function 2
Function Function
k8s Native
Applications
Security
• Encrypt all persistent data
• Disallow all ports but 443
• Audit developer changes
Availability
• Failures to tolerate: 2
• Disaster recovery site: us-east
• Hourly snapshots to backup
Access controls
• Users in group app-admin: Write
• Users in group ops: Read Only
• Disallow MySQL
Quality of Service
• Priority: High
• Reserved vCPUs: 128
• Reserved Memory: 1 TB

Confidential │ ©2019 VMware, Inc. 17
Enable Kubernetes in vSphere with Supervisor Clusters
vCenter
ESXi
VM
ESXi
VM
VM
ESXi
VM
VM
vSphere Cluster
hostd hostd hostd
VI Admin
VM

Confidential │ ©2019 VMware, Inc. 18
Enable Kubernetes in vSphere with Supervisor clusters
vCenter
ESXi
VM
ESXi
VM
VM
ESXi
VM
VM
ESXi Cluster
hostd hostd hostd
VI Admin
VM
vCenter
vCenter
Namespaces REST API
Token
Exchange
Service
Workload Platform Service
SAML => JWT
Supervisor Control
Plane Image
Spherelet
Bundle
K8s Client Bindings

Confidential │ ©2019 VMware, Inc. 19
Enable Kubernetes in vSphere with Supervisor clusters
vCenter
ESXi
Spherelet
K8s Control Plane
VM
ESXi
Spherelet
ESXi
Spherelet
vSphere Cluster
hostd hostd hostd DevOps
VI Admin

Confidential │ ©2019 VMware, Inc. 20
Enable Kubernetes in vSphere with Supervisor clusters
vCenter
ESXi
Spherelet
ESXi
Spherelet
ESXi
Spherelet
ESXi Cluster
hostd hostd hostd
VI Admin
K8s Control Plane
VM
DevOps
Supervisor K8s Control Plane VM
Login API
api-server
Authenticating
Proxy
etcd
Token Exchange
Service
Public Key
kube-sched
Scheduler
Extension
NSX Container
Plug-in (CNI)
Cloud Native
Storage (CSI)
$ kubectl vsphere login
--server 10.0.13.37
--username markj
--password iHeartK8s
Management
vNIC
NSX Cluster
vNIC

Confidential │ ©2019 VMware, Inc. 21
Enable Kubernetes in vSphere with Supervisor Clusters
vCenter
ESXi
Spherelet
K8s Master VM
ESXi
Spherelet
ESXi
Spherelet
vSphere Cluster
hostd hostd hostd DevOps
VI Admin
Pod
CRX VM VM
Pod
Pod
Pod

Confidential │ ©2019 VMware, Inc. 22
Supervisor Cluster with Cluster API Enabling Workloads
Tanzu Kubernetes Clusters
Supervisor Cluster
Tanzu Kubernetes Cluster
Cluster API Controllers
Infrastructure Provider Bootstrap Provider
Machine Spec
Infrastructure Config Bootstrap Config
Cluster Spec
Cluster Config
K8s
Master
K8s
Worker
K8s
Worker
K8s
Worker
kubeadm
VM
kubeadm
VM
kubeadm
VM
kubeadm
VM
vSphere 7
Namespace

Confidential │ ©2019 VMware, Inc. 23
User Experience
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TanzuKubernetesCluster
metadata:
name: test-cluster
namespace: demo-app-01
spec:
topology:
controlPlane:
class: guaranteed-medium
storageClass: gold
workers:
count: 2
class: guaranteed-xsmall
storageClass: silver
distribution:
version: v1.16.8
settings:
storage:
classes: [silver, bronze]
network:
nameservers: ["203.0.113.1", "203.0.113.2"]
Deploy a Kubernetes Cluster Declaratively
Simple Tanzu
Kubernetes
Cluster
YAML Spec
Manage Full
Cluster LCM
via spec
Create
Scale Out
Upgrade
Delete
Developer

Confidential │ ©2020 VMware, Inc. 24
Grubhub $50 Quiz Question #3:
vSphere 7 with Kubernetes allows you to do the following:
A) Run either virtual machines or Kubernetes clusters on the
same vSphere cluster
B) Run both virtual machine and Kubernetes clusters on the
same vSphere cluster
C) Run virtual machines, vSphere pods and Kubernetes
clusters on the same vSphere cluster
D) Run only virtual machines

Confidential │ ©2019 VMware, Inc. 25
Tanzu Mission Control

Confidential │ ©2019 VMware, Inc. 26
VMware Tanzu Mission Control allows customers to
attach any Kubernetes cluster for a single point of control
Multi-cloud Multi-cluster Multi-team
Independence Visibility Control
Give developers self-service
access to the right
resources
Centrally observe and
monitor health across all of
your clusters
Manage security,
configuration, and cost at
enterprise scale
VMware Tanzu
MANAGE Multi-Cluster and Multi-Team Management
Manage

Confidential │ ©2019 VMware, Inc. 27
Google
Kubernetes
Engine
VMware
vSphere
Microsoft
Azure
Amazon Web
Services
Amazon Web
Services
Managing Islands of Multiple Clusters
Tanzu Mission Control
Unified [IAM, Lifecycle, Policy, Operational Visibility,
Compliance]
Map Enterprise Identity to Kubernetes
RBAC across Clusters
Define Policies once and push them
across Clusters
Mange Cluster lifecycle consistently
Unified views of Cluster metrics,
logs, data
Cross Cluster-Cloud Data Protection
Automated policy controlled cross
cluster traffic
Monitor Kubernetes costs
across Clusters
SecurityIAM $$$

Confidential │ ©2019 VMware, Inc. 28
Tanzu Mission Control Architecture
Customer A Customer B Customer Z
Tanzu Mission Control
Each customer has access to
Comprehensive
Policy Framework
Resource Hierarchy to apply
uniform Policies
Provision and Manage
Lifecycle of K8’s Clusters
Bring in existing Clusters
for better control
Policy
Framework
IAM Security Audit & Compliance Data Protection Health Monitoring
Resource
Hierarchy
Organizations Cluster Groups Workspaces
VMware Cloud
Service
Google Kubernetes
Engine
VMware PKSAzure Kubernetes
Service (AKS)
Any K8sAmazon
EKS
Lifecycle Management
(New Clusters)
Managed Clusters
(Existing Clusters)

Confidential │ ©2019 VMware, Inc. 29
Tanzu Mission Control
Demo

Confidential │ ©2019 VMware, Inc. 30
Tanzu Mission Control Resource Hierarchy
Each customer gets mapped
to an Organization
Multiple Cluster Groups
• Group various Clusters together
• Apply policies across multiple Clusters
Multiple Workspaces
• Group Namespaces from various Clusters
Cascading Resource Hierarchy
• Policies flow from root to Nodes
• Direct Policy overwrites Inherited policy
Organization
Cluster
Namespaces
Cluster
Namespaces
Cluster
Namespaces
ns
ns
ns
Cluster Groups Workspaces

Confidential │ ©2019 VMware, Inc. 31
Global Policy and Quota
Separate logical Groups
for Infrastructure and
Application Teams
Allows easier handoff and
transition between teams
Avoid Ticket based approach
Platform
Operators
Application
Operators
Tanzu Mission Control
Cluster
Namespaces
Cluster
Namespaces
Cluster
Namespaces
ns
ns
ns
Cluster Groups
Workspaces

Confidential │ ©2019 VMware, Inc. 32
Tanzu Kubernetes Grid + Tanzu Mission Control
TKG CLI Capabilities
TKG
Management
Cluster
…
…
TKG Workload
Cluster
User Operated ON AWS
…
…
TKG Workload
Cluster
TKG
Management
Cluster
…
…
TKG Workload
Cluster
User Operated ON vSphere
6.7U3 or 7.0
TKG Management
Cluster (Supervisor
Cluster)
…
…
TKG Workload
Cluster
User Operated IN vSphere 7.0
Use TKG CLI to create TKG Management and TKG
Workload Clusters ON supported infrastrucutre
Optionally Use TKG CLI to provision
TKG Workload Clusters to vSphere
SRE Managed As A Service
Tanzu Mission Control
TMC is the Management Cluster and
deploys TKG Workload Clusters
Attach TKG Management and
TKG Workload clusters to TMC
for global view
Local Shared
Services
TKG Management
Cluster
Local Shared
Services
Local Shared
Services
TKG CLI/UI

Confidential │ ©2020 VMware, Inc. 33
Grubhub $50 Quiz Question #4:
How does Tanzu Mission Control strengthen security &
compliance for all of your Kubernetes clusters
infrastructure?
A) By allowing operators to consistently apply security
policies across environments, both on prem and off
B) Allows regular and efficient inspection of all clusters
for potential security risks
C) Enables developers to create one-off configurations
D) A&B
E) All of the above

Confidential │ ©2020 VMware, Inc. 34
1) Tanzu portfolio: https://tanzu.vmware.com/
2) vSphere 7 with Built-In Kubernetes https://bit.ly/2ANme4u
3) Tanzu Mission Control https://tanzu.vmware.com/mission-control
4) Forward this recording
4) Reach out to us:
jgrosshandler@vmware.com
jsheth@vmware.com
Next Steps:

Confidential │ ©2020 VMware, Inc. 35