Introduction to VMware Tanzu Mission Control


Section 1: Introduction to VMware Tanzu Mission Control

In Swahili, ’tanzu’ means the growing branch of a tree. In Japanese, ’tansu’ refers to a modular form of cabinetry. At VMware, Tanzu represents our growing portfolio of solutions to help you build, run and manage modern apps.

VMware Tanzu portfolio enables customers to build modern apps on Kubernetes and manage all of their clusters from a single control point. Tanzu allows you to build applications with velocity, run open source Kubernetes with consistency, and manage your entire footprint with confidence.

Tanzu Capabilities Include:

  • Enterprise Kubernetes Management - Take command of your entire Kubernetes footprint. Manage hundreds of users and apply policies across thousands of clusters.
  • Kubernetes for SDDC - Run Kubernetes containers alongside VMs on your existing SDDC infrastructure, with deep integration into vSphere, NSX and vSAN coming in the near future.
  • Kubernetes for Public Clouds - Build a custom Kubernetes footprint across any cloud with expert guidance and support, using curated open source technologies.

VMware Tanzu Mission Control (TMC) provides a single control point for teams to more easily manage Kubernetes and operate modern, containerized applications across multiple clouds and clusters. VMware Tanzu Mission Control codifies the know-how of operating Kubernetes - including deploying and upgrading clusters, setting policies and configurations, understanding the health of clusters and the root cause of underlying issues, plus creating a map from the “people structure” to the infrastructure.

 As more and more teams adopt containers and Kubernetes, it becomes harder to manage. Development teams need independence to run and operate their applications across multiple clusters and clouds. IT teams need to maintain visibility and control at an organization-wide level.

VMware Tanzu Mission Control supports both development and IT teams in three key ways:

  • Enabling developer independence, with control: To get to market faster, development teams need self-service access to the right environment, tools, and components for their applications. With declarative APIs, centralized authentication, and managed namespaces, you can safely provide developers with self-service access to the resources they need to deploy their applications, without changing their workflows.
  • Manage and operate across teams, clusters, and clouds, with consistency: Automatically provision clusters in your public cloud account and connect existing clusters for centralized monitoring and observability over fleets of clusters and application workloads running across any infrastructure—vSphere, VMC, public clouds, and bare metal.
  • Secure and harden at scale, with confidence: Easily enable access and define backup, security, and compliance policies at an organizational level, across groups of clusters, and across application environments in just a few clicks. Enforcing across multiple clouds and clusters—even thousands of clusters running at the edge.

VMware Tanzu Mission Control is a multi tenant platform where each customer has access to a Policy Framework that can be applied to a Resources Hierarchy ( logical components that group clusters and namespaces within clusters ). Each customer has an Organization which is the root of the resource hierarchy. The resource hierarchy applies to Clusters that are provisioned and managed by Mission Control as well as clusters that are attached.

Each customer will have access to:

  • Comprehensive Policy Framework
  • Resource Hierarchy to apply uniform Policies
  • Provision and Manage Lifecycle of Kubernetes Clusters
  • Bring in existing Clusters for better control
Section 2: Manage your Kubernetes Clusters

With VMware Tanzu Mission Control an operator can manage all conformant Kubernetes clusters regardless of where they are running—vSphere, VMware PKS, Public clouds (AWS, Azure, Google), Managed services (EKS, AKS, GKE), packaged distributions (OpenShift, Rancher) and DIY. Apply consistent policy for access, back-up, security and more to individual clusters or groups of clusters—and make these resources readily available to development teams.

NOTE: From a functionality perspective, VMware Tanzu Mission Control also allows users to provision a managed Kubernetes cluster to AWS right from the TMC Console. But since our Pathfinder TMC environment is shared among VMware Employees, Partners and PoC Customers, we are working on certain RBAC improvements that will allow us to efficiently manage multiple AWS accounts and ensure they can only be used by the account owner.

Users will still be able to attach their k8s clusters today (PKS, EKS, AKS, GKE, etc.) by using the 'Attach Cluster' option.

VMware Tanzu Mission Control provides users with the following Cluster Management capabilities:

  • Cluster Lifecycle Management: Attach / Create / Resize / Upgrade / Delete
  • Access control: Use federated identity management and apply granular Roles Based Access Control
  • Cluster observability and diagnostics: See how resources are used in your clusters
  • Policy management: Create policies that govern your clusters
  • Cluster inspections: Run preconfigured conformance inspections against clusters using Sonobuoy

In this section, we will discuss how we can use VMware Tanzu Mission Control (TMC) to attach and manage existing Kubernetes clusters. TMC provides you the commands to run on a local Kubernetes cluster in order to install the cluster agent into the cluster.

. In case one isn’t available, you can always use our VMware Enterprise PKS cluster by enabling the product for your Tanzu evaluation. Please refer to the 

for steps on how to get access to a PKS cluster before continuing further. For the sake of this guide, we will use a PKS cluster in the following steps although the process to 'Attach Cluster' remains same across the board.

click on the 'Enable Access' button on your activity screen you're on as shown in the image below. Your VMware ID will get created with Organization Member permissions on the TMC Console.

Next, click on the 'VMware Tanzu Mission Control' link under Access section below this text towards the bottom of your screen.

You will be redirected to the VMware Cloud Services login page. If you're not automatically logged in, use your email address associated with your VMware ID account, followed by your password.

Once logged in, you should see a My Services page with 'VMware Tanzu Mission Control' listed as a product in it. Launch the product.

If you don't see it, then  click on your username on the Cloud Services page -> Change Organization and make sure you have selected 'Pathfinder Services' as your Organization. After that, you should see the TMC product.

Now that you're logged in, you should see the 'Clusters' page as your default landing page. Notice that there are no clusters attached at this point. We will register a cluster next.

Click on the 'Attach Cluster' button. On the page that loads, choose the Cluster Group identical to your VMware ID from the dropdown. Type your cluster name in the 'Name' field. Since we're using PKS cluster in this guide, we'll use the same name as the PKS cluster name as shown below. Click on 'Register' when you're done.

A screen showing a kubectl apply command to install the VMware Tanzu Mission Control Agent on your cluster within the namespace 'vmware-system-tmc' comes up. This command is unique to your environment and you must directly copy it from the context.

Next, paste the command that you just copied on your cluster. This workflow will be the same across any k8s cluster, On-Premise or Cloud.

Note: Since we're using VMware Enterprise PKS for this guide, we will paste the kubectl apply command into the PowerShell CLI window on our PKS Horizon Desktop. Please refer to the Appendix A for steps on how to get access to a PKS cluster.

Also, please note that your command will be different from the one shown below.

In order to watch the Agent come up, run the following command on your cluster (PowerShell in this case):

kubectl get pods --all-namespaces

Notice that TMC pods are created under the namespace 'vmware-system-tmc' as mentioned before. Wait for all namespaces to come up to a 'Running' or 'Completed' state, as shown above. This may take up to 10 minutes.

Next, switch back to your TMC Console and click on 'Verify Connection'. After verification is done, you should see a success message as shown.

Hit 'Continue', you will be redirected to Cluster Overview page. Observe the different components and agent/extension health check indications, these should all be green in a successful environment attach. NOTE: If your cluster does not show up right away you may need to hit the refresh button on your browser.

Click the Nodes tab to see information about the nodes within your cluster

Click the Namespaces tab to see information about your currently provisioned Namespaces

Click the Workloads tab to see information about different workload objects provisioned to your cluster

As we saw, the steps to Attach Cluster are practically the same across clusters running on different environments. This means that users can now get a centralized management platform for operating and securing their Kubernetes infrastructure. TMC provides operators a single governance control point while freeing developers to deploy to production without needing to know how to operate Kubernetes. VMware Tanzu Mission Control truly takes command of every Kubernetes cluster across every cloud to make cloud-native operation very simple.

Section 3: Walkthrough of TMC Policies and Inspections

Through the VMware Tanzu Mission Control console, you can organize and view your Kubernetes resources in two different ways, enabling operations administrators to maintain control over clusters while allowing application teams self-serve access to namespaces.

  • Cluster Groups allow you to organize your Kubernetes clusters into logical groupings, for example to align with business units. Clusters must belong to a cluster group. When you attach or provision a cluster in Tanzu Mission Control, you specify the cluster group to which the cluster belongs.

Application View

  • Workspaces allow you to take an application or workload centric view of your environments and organize your managed namespaces into logical groups across clusters, perhaps to align with development projects. In an attached cluster, you can have both managed and unmanaged namespaces. When you create a namespace in an attached or provisioned cluster, you specify the workspace to which the namespace belongs. You can also add an existing namespace to a workspace.

By combining your resources into groups, you can simplify management by applying policies at the group level. For example, you can apply an access policy to an entire cluster group rather than creating separate policies for each individual cluster.

The workspace and namespace policies are more of an application centric way to give a user access to your Kubernetes infrastructure. Contrast this with the Cluster and Cluster Group policy which is more of an infrastructure centric way to define policies. Both approaches are important when operating Kubernetes at scale.

NOTE: The Pathfinder TMC Console is a shared instance that is leveraged by VMware Employees, Partners and Customers. One Cluster group and one Workspace is pre-provisioned and assigned to per user through TMC access policies. Due to resource constraints, creating additional Cluster Groups and Workspaces is not allowed in this environment. 

Policy Inheritance

In the VMware Tanzu Mission Control resource hierarchy, there are three levels at which you can specify policies:

  • Organization
  • Object Groups (Cluster Groups and Workspaces)
  • Kubernetes Objects (Clusters and Namespaces)

In addition to the direct policy defined for a given object, each object also has inherited policies that are defined in the parent objects. For example, a cluster has a direct policy and also has inherited policies from the cluster group and organization to which it is attached.

Based on the information above, let's click on 'Policies' from sidebar Menu and observe the Cluster and Workspace policies. Notice the hierarchy set for inherited policies from organization and cluster group as well.

You can go ahead and add a 'New Role Binding' that will only apply to your Cluster or Workspace level, and assign it to other users.


In this section we will be running a Lite conformance test on the AWS cluster in your environment. A full conformance test will take several hours to run and should be done only if you have sufficient time left in your TMC access counter visible right above 'Credentials' section on this guide.

On your cluster overview page on TMC Console, navigate to 'Inspection' Tab and select 'Run Inspection' -> Lite. A Lite inspection usually takes no more than 5 minutes.

A full conformance test consists of 180+ different tests and is intended to check your cluster against the latest Certified Kubernetes Offerings that are published through the Cloud Native Computing Foundation (CNCF) More details can be found

Appendix A: Getting access to a VMware Enterprise PKS cluster

NOTE: In order to learn more about our VMware Enterprise PKS product offering, please refer to our KB articles here. In this section, we will show you how to access your PKS cluster and prepare it to attach to the TMC Console.

To login to VMware Enterprise PKS perform the following steps.

First, open a web browser of your choice and navigate to pathfinder.vmware.com. Click on Log In and you will be re-directed to the VMware Cloud Services Login page.

Use your email address associated with your VMware ID account, followed by your password.

Once logged in, navigate to 'CATALOG' from the top navigation bar, and choose 'PKS' as the product, 'TestDrive' as the Activity Type as shown below.

Click on the 'Explore VMware Enterprise PKS' Activity Card, the activity opens up. On the Getting Started page, click on 'Enable Access' button located near the bottom-right of this page. This will provision your PKS account and display 'PKS Credentials' as shown below in the format pksuserxxxx. Please note these credentials down along with the API URL for use later. Please note that both your TMC and PKS accesses are valid for 48 hours in a single session. Once the time expires, you can re-enable access by following the same method.

Next, launch the 'Workspace ONE' link under Access option, you will be redirected to Workspace ONE Access login screen. Use the Workspace ONE Credentials from the above screenshot to authenticate. Once logged in, search for 'PKS' on the Apps Tab and launch the Horizon Desktop by clicking on 'Open' as shown.

Now, you'll be on the VMware Enterprise PKS Horizon Desktop. Launch PowerShell from the Desktop and login to the PKS environment using PKS Credentials saved previously in the following format:

pks login -a pks-api.vmwtd.com -u <username> -p <password> -k

With our latest release of TestDrive PKS Demo, one cluster comes pre-created with each UAAC user. So we'll run the next command to get information about that cluster:

pks clusters

The last command to run in preparing this cluster to attach to TMC is for populating the kube config file with the right credentials for this cluster:

pks get-credentials <your_cluster_Name>

For next steps, please follow the course of the guide in Section 2: Manage your Kubernetes Clusters

Previous Article Getting Access to a VMware TKGI (formerly Enterprise PKS) cluster in VMware Pathfinder
Next Article Introduction to vSAN with vCenter and vROps