How to make a tkgi cluster have privileged mode enabled when created from a non privileged plan
search cancel

How to make a tkgi cluster have privileged mode enabled when created from a non privileged plan

book

Article ID: 412831

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

Having several clusters already created with a plan that have privileged mode disabled, we would like to enable the mode on existing clusters and keep this option permanent.

Environment

TKGi 1.2x

Cause

When cluster is created with a plan where privileged is disabled, the cluster will be created without this option and pods that require privileged mode, will be declined by the kube-apiservice.

If the plan is updated all new clusters created after plan update will have this feature on, but the originally created cluster will keep the option disabled.

Resolution

To enable the mode for existing cluster k8s-profile have to be created follwoing: https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid-integrated-edition/1-22/tkgi/k8s-profiles.html

Here is example:

cat k8s-profiles.json  
{  
    "name": "privileged-enabled",  
    "description": "enabled privileged mode on kube-api service",  
    "customizations": [  
        {  
            "component": "kube-apiserver",  
            "arguments": {  
                "allow-privileged": "true"  
            }  
        }  
    ]
}

Create and apply the profiles to a cluster:

tkgi create-k8s-profile k8s-profiles.json

Kubernetes profile privileged-enabled successfully created

tkgi update-cluster NAME --kubernetes-profile privileged-enabled

Update summary for cluster NAME:
Kubernetes Profile Name: privileged-enabled
Are you sure you want to continue? (y/n): y
Use 'pks cluster NAME' to monitor the state of your cluster

tkgi cluster ao2

PKS Version:              1.22.2-build.14
Name:                     NAME
K8s Version:              1.31.9
Plan Name:                small
UUID:                     12dfc3ba-xxxx-xxxx-xxxx-65d57442644c
Last Action:              UPDATE
Last Action State:        in progress
Last Action Description:  Instance update in progress
Kubernetes Master Host:   NAME.example.com
Kubernetes Master Port:   8443
Worker Nodes:             1
Kubernetes Master IP(s):  10.xxx.xxx.8
Network Profile Name:
Kubernetes Profile Name:  privileged-enabled
Compute Profile Name:
NSX Policy:               false
Private Registries:       false
Tags:

 

Additional Information

The change will be permanent for clusters where the profile is applied and can be disabled by creating a new profile with "allow-privileged": "false"  and updated the clusters with the new profile.

Powered by Wolken Software