After upgrading vSphere Kubernetes Service (VKS) to 3.4.0, Tanzu Kubernetes Clusters (TKC) report a False status for their READY condition.

# kubectl get tkc -A
NAMESPACE             NAME           CONTROL PLANE   WORKER    READY
<VSPHERE_NAMESPACE>   <TKC_NAME>     X               X         False

When describing the TKC object to inspect the YAML output, you see an error message similar to the following under the TanzuKubernetesReleaseCompatible condition:

# kubectl get tkc -n <VSPHERE_NAMESPACE> <TKC_NAME> -o yaml
- type: TanzuKubernetesReleaseCompatible
    status: "False"
    lastTransitionTime: "YYYY-MM-DDThh:mm:ssZ"
    message: 'error reconciling the Cluster topology: failed to create patch helper
      for Cluster <VSPHERE_NAMESPACE>/<TKC_NAME>: server side apply dry-run failed
      for modified object: admission webhook "capi.validating.tanzukubernetescluster.run.tanzu.vmware.com"
      denied the request: spec.clusterNetwork.services.cidrBlocks intersects with
      the network range of the external ip pools in network provider''s configuration,
      spec.clusterNetwork.services.cidrBlocks intersects with the network range of
      the external ip pools LB in network provider''s configuration...'

vSphere Kubernetes Service

This is a known issue in VKS 3.4.0.

For more information, refer to the vSphere Kubernetes Service Release Notes.

Validate Cluster's Pod/Service CIDR only during Cluster creation
In order to support existing clusters with incorrect CIDR values, the new validations will only be applied on during Cluster creation.

To resolve this issue, upgrade VKS to version 3.4.2 or later, which contains the fix for this validation logic.

Japanese KB: https://knowledge.broadcom.com/external/article?articleNumber=431540