• A vSphere Kubernetes Service (VKS) Guest Cluster reports an AVAILABLE status of False, halting cluster reconciliation and preventing lifecycle operations within the vSphere Namespace.
  When checking the cluster state via the Supervisor control plane, the Control Plane and Worker nodes may show as desired and available, but the overall AVAILABLE flag remains False:

kubectl get cluster -A

NAMESPACE        NAME                            CLUSTERCLASS            AVAILABLE   CP DESIRED   CP AVAILABLE   W DESIRED   W AVAILABLE   PHASE  VERSION<NAMESPACE>     

testnamespace    testcluster               builtin-generic-v3.5.0         False          3             3             6           6         Ready   v1.34.1+vmware.1

• Attempting to manually trigger a force-reconcile results in a Forbidden rejection from the Tanzu admission webhook:

Error from server (Forbidden): admission webhook "tkr-resolver-cluster-webhook.tanzu.vmware.com" denied the request: Could not resolve KR/OSImageMissing compatible KR/OSImage for the clusterControl Plane, filters: {k8sVersionPrefix: v1.34.1+vmware.1, osImageSelector: content-library=<LIBRARY_ID>,os-name=ubuntu,os-version=24.04}

• The Supervisor log indicates that the explicitly defined Content Library is out of sync (inSync: false):

debug wcp [workload/controller.go:1580] [opID=<ID>] ContentLibraries [inSync: false] [desired content libraries: [{<UUID> ...}]] [current content libraries: []]

• VMware vSphere IaaS Control Plane (formerly vSphere with Tanzu)
• vSphere Kubernetes Service (VKS) Guest Clusters
• Tanzu Kubernetes Releases (TKr)

This issue occurs when the Guest Cluster's deployment configuration contains a rigid osImageSelector annotation that hardcodes the OS image resolution to a specific vCenter Content Library UUID (e.g., content-library=cl-#######).

If that specific Content Library encounters a synchronization failure or is otherwise unable to present the required underlying OVA template (such as Ubuntu 24.04), the Tanzu Kubernetes Release (TKr) resolver webhook is unable to pivot to alternative library sources. Because the webhook cannot satisfy the strict osImageSelector constraint, it safely denies the reconciliation request to prevent provisioning errors.

To resolve this issue, the strict Content Library constraint must be removed from the Guest Cluster's annotations, allowing the TKr resolver to dynamically locate a compatible, synchronized image associated with the vSphere Namespace.

Procedure:

1. Log in to the Supervisor Cluster as an administrator.

2. Edit the annotations of the affected Guest Cluster:

    kubectl edit cluster <CLUSTER_NAME> -n <NAMESPACE>

3. Locate the osImageSelector Remove the specific content-library=<ID> constraint, leaving only the generalized OS filters.

Change from: osImageSelector: content-library=cl-######,os-name=ubuntu,os-version=24.04
Change to: osImageSelector: "os-name=ubuntu,os-version=24.04"

4. Save and exit the editor.

5. Verify the cluster state transitions back to healthy:

   kubectl get cluster -n <NAMESPACE>

   The AVAILABLE column should now report True.

For further details regarding the requirements for OS image resolution and Content Library synchronization in TKG clusters, please reference KB 314444.