Compliance Scanner for VMware Tanzu is not compatible with NSX-T Dedicated Tier-1 Topology
search cancel

Compliance Scanner for VMware Tanzu is not compatible with NSX-T Dedicated Tier-1 Topology

book

Article ID: 298709

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Environment

Product Version: 1.15

Resolution

Checklist:

Currently Compliance Scanner for VMware Tanzu doesn't support NSX-T Dedicated Tier-1 Topology. Compliance Scanner checks if source IPs match the those master&worker nodes VM IPs, if they don't match, the report will be rejected. Usually this is caused by NAT IP translation. 

...
2022/11/25 12:18:24 Received worker-a1a95c88-6903-4795-9dcc-fe761e168640.tgz from 10.1.11.92:12015
2022/11/25 12:18:24 Was not expecting a response from 10.1.11.92...ignoring
2022/11/25 12:18:24 Received worker-814c1c86-66cf-42e3-a01f-b11f950e74a8.tgz from 10.1.11.151:37539
2022/11/25 12:18:24 Was not expecting a response from 10.1.11.151...ignoring
...

 





In case of NSX-T Dedicated Tier-1 Topology, NAT translated IPs are added and original IPs are hidden. In BOSH task logs or Compliance Scanner job logs, scan reports from cluster VMs (master or work) are being ignored. Compliance Scanner expects VM original IPs, but those 10.1.11.*** IPs in below example are NAT translated IPs.

For details, please check article - Shared and Dedicated Tier-1 Router Topologies. Shared Tier-1 topology is the default, thus Compliance Scanner functions well with the default network profile, if specify Dedicated Tier-1 topology for Tanzu Kubernetes Grid Integrated Edition clusters by configuring single_tier_topology to false, translated IPs will be added when cluster VMs reach out to infra&management network via NAT.

As the result, Compliance Scanner can only see the translated IPs other than cluster VMs original IPs.  In order to use Compliance Scanner features in NSX-T environment, Shared Tier-1 topology is recommended. 

In addition, if Compliance Scanner tile is in different network from TKGI management network, Compliance Scanner tile network should be added to infrastructure_networks with network profile. Because only TKGI management network is added to infrastructure_networks by default.