Manually remove stale Tanzu Mission Control SaaS components from TKGS or VKS Clusters
search cancel

Manually remove stale Tanzu Mission Control SaaS components from TKGS or VKS Clusters

book

Article ID: 439007

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

This article provides a manual procedure to remove orphaned Tanzu Mission Control (TMC) SaaS components from TKGS or VKS clusters for environments where:

  • The cluster was previously registered to the Tanzu Mission Control (TMC) SaaS platform (currently decommissioned).
  • Standard de-registration via the SaaS console is no longer functional or accessible.
  • Residual agent extensions and namespaces must be manually removed to resolve configuration conflicts or allow for re-registration to a new management plane.

Cause

This behavior is expected when a management platform is retired. Since the Tanzu Mission Control (TMC) SaaS console is decommissioned and unreachable, the automated unregistration workflows do not initiate the removal of local cluster components cannot be initiated.

Consequently, the TMC agent extensions, Custom Resource Definitions (CRDs), and the vmware-system-tmc namespace remains on the workload cluster as orphaned resources. These local artifacts must be manually purged to ensure the cluster is in a clean state for any future management operations.

Resolution

Phase 1: Clean up Supervisor Metadata

  1. Log in to the Supervisor Cluster context
  2. Identify the TKGS or VKS cluster and check for TMC-specific annotations:
    kubectl get cluster <cluster_name> -n <example_namespace> -o yaml

    The cluster may contain these annotations:
    "run.tanzu.vmware.com/agent-uid"
"run.tanzu.vmware.com/vmware-system-tmc-cluster-group"
"run.tanzu.vmware.com/vmware-system-tmc-applied"
"run.tanzu.vmware.com/vmware-system-tmc-managed"
"run.tanzu.vmware.com/tmc-already-attached"
"run.tanzu.vmware.com/proxy-name"
"run.tanzu.vmware.com/image-registry"
"run.tanzu.vmware.com/auto-scaling"
"run.tanzu.vmware.com/auto-scaler-status"
"run.tanzu.vmware.com/kcp-status"
"run.tanzu.vmware.com/nodepool-status"

     

  3. Remove an annotation: 
    kubectl patch cluster <cluster_name> --type=merge -p '{"metadata":{"annotations":{"run.tanzu.vmware.com/agent-uid":null}}}'

    OR

    Remove all annotations listed in Step 2: 
    kubectl patch cluster <cluster_name> -n <example_namespace> --type=merge -p '{"metadata":{"annotations":{"run.tanzu.vmware.com/agent-uid":null,"run.tanzu.vmware.com/vmware-system-tmc-cluster-group":null,"run.tanzu.vmware.com/vmware-system-tmc-applied":null,"run.tanzu.vmware.com/vmware-system-tmc-managed":null}}}'

Phase 2: Cleanup up TKGS or VKS Cluster resources

  1. Switch context to the affected TKGS or VKS cluster.
  2. Delete TMC CRDs:
    kubectl delete crd extensions.clusters.tmc.cloud.vmware.com
    kubectl delete crd agents.clusters.tmc.cloud.vmware.com
    kubectl delete crd extensionresourceowners.clusters.tmc.cloud.vmware.com
    kubectl delete crd extensionintegrations.clusters.tmc.cloud.vmware.com
    kubectl delete crd extensionconfigs.intents.tmc.cloud.vmware.com

  3. Delete Cluster-Scoped RBAC & Security Policies:
    kubectl delete clusterrole extension-updater-clusterrole extension-manager-role agent-updater-role vmware-system-tmc-psp-agent-restricted
    kubectl delete clusterrolebinding extension-updater-clusterrolebinding extension-manager-rolebinding agent-updater-rolebinding vmware-system-tmc-psp-agent-restricted
    kubectl delete psp vmware-system-tmc-agent-restricted

  4. Delete the namespace:
    kubectl delete namespace vmware-system-tmc
Powered by Wolken Software