With the release of vSphere 7.0 Update 1, VMware introduced a new licensing model for its Tanzu Kubernetes integration. Basically, the licensing has been changed from an ESXi-Host license to a Cluster license that looks familiar to the vSAN license which is in place for a couple of years. The change does only affect how you have to apply the license. The entity to pay for is still a physical CPU.
In vSphere 7.0 GA, the license required to enable Kubernetes (aka. "Workload Management") was an add-on license for ESXi Hosts named "vSphere 7 Enterprise Plus with Kubernetes". With the introduction of vSphere 7.0 Update 1, which is also referred to as 7.0.1, "vSphere add-on for Kubernetes" has been rebranded and split into 4 licenses Tanzu Basic, Tanzu Standard, Tanzu
As of today, only Tanzu Basic and Tanzu Standard is available to customers. The Advanced and Enterprise editions will be available in the future. Each Tanzu is a superset of the one below, giving customers a clear path to add capabilities over time as needed.
Tanzu Basic is where you get started. It's a simple and affordable Kubernetes integration that is intrinsically tied to vSphere. You can either use NSX-T (requires additional licensing) or with a "bring your own" network strategy that utilizes vSphere Distributed Switch Portgroups and HAProxy load balancing.
Additional Information: VMware Tanzu Basic Solution Brief
Tanzu Standard is for organizations that want to operate a Kubernetes-based container solution across multiple clouds. It provides the flexibility to extend a consistent Kubernetes distribution across on-premises and public clouds. Tanzu Standard can be licensed as an add-on for vSphere, or with VMware Cloud Foundation.
Additional Information: VMware Tanzu Standard Solution Brief
|Tanzu Basic||Tanzu Standard|
|vSphere Pod Service||YES||YES|
|Network Service||NSX-T / BYO||NSX-T / BYO|
|NSX-T Load Balancing||YES||YES|
|HAProxy Load Balancing||YES||YES|
|Fluent Bit & Fluentd||YES||YES|
|Tanzu Mission Control||NO||YES|
|Prometheus & Grafana||NO||YES|
|Kubernetes cluster management||NO||YES|
|Cluster and workload Health||NO||YES|
|Centralized Security policy management||NO||YES|
|Velero Backup & Restore||NO||YES|
|Cluster conformance inspections||NO||YES|
|System events and audit logs||NO||YES|
|Tanzu Observability Integration||NO||YES|
|Tanzu Service Mesh Integration||NO||YES|
NSX-T vs. Bring Your Own
vSphere 7.0 Update 1 decouples the Kubernetes integration from NSX-T. In the first release, NSX-T was a requirement to enable workload management. With Update 1, You do now have the ability to bring your own networking and load balancing.
With bring-your-own vSphere Distributed Switch (vDS) networking, you supply your own load balancer. Each Tanzu Kubernetes cluster is on a private network. Kubectl requests come into the cluster load balancer, which then forwards the requests to the Tanzu Kubernetes cluster control plane API server or servers. A Supervisor Cluster that is backed by a vSphere Distributed Switch uses distributed port groups as Workload Networks for namespaces.
With NSX-T networking, when you create a Supervisor Namespace, an NSX-T segment is defined for each namespace. This segment is connected to the NSX-T Tier-1 gateway for the Supervisor Cluster network. When a new Tanzu Kubernetes cluster is provisioned in a Supervisor Namespace, a new Tier-1 gateway is created. For each Tanzu Kubernetes cluster that is provisioned in that namespace, a segment is created for that cluster and it is connected to the Tier-1 gateway in its Supervisor Namespace.
|NSX-T||Bring Your Own|
|Networking||NSX-T Segments||vDS Port Groups|
|Load Balancing||NSX-T Load Balancer||HAProxy|
|vSphere Pod service||Available||Not Available|
|Registry service (Harbor)||Available||Not Available|
Evaluating Tanzu in vSphere 7.0 Update 1
Evaluating Tanzu is as simple as evaluating ESXi and vCenter. There is no need to get "Evaluation" licenses. You just get the bits, install everything and the 60-day evaluation begins. The integration using NSX-T hasn't changed much since vSphere 7.0 GA. You can still follow my "Getting Started Guide - VMware vSphere with Kubernetes" to deploy Kubernetes on your existing Cluster using NSX-T. The only major difference is that you do now have the option to configure "vCenter Server Network" (aka. "Bring your own networking").
Upgrading "vSphere with Tanzu"-enabled vSphere 7.0 to vSphere 7.0 U1
Directly after upgrading the vCenter to 7.0 Update 1, it is likely that the Workload Management page welcomes you with the following message:
Currently, there is a bug in the vCenter software that displays the following error message when you open Workload Management, regardless of the actual licensing state. The bug also happens when you've been previously logged in to the vCenter and reboot the vCenter Appliance.
None of the hosts connected to this vCenter are licensed for Workload Management.
To regain access to the Workload Management page, you have to clear cookies or use incognito mode. The problem sometimes also vanishes if you simply wait for some while. It is only a User-Interface bug. If you access Workload Management using the API, everything works fine.
If you are running ESXi Hosts in evaluation mode, which was common for testing or homelab environments as the "Enterprise Plus" license is not capable of running Tanzu, you might want to switch your license back to Enterprise Plus. After assigning the new license to the Supervisor Cluster, you might get the following error message:
This issue happens when you have upgraded the vCenter to 7.0 U1, but the ESXi hosts are still running on 7.0. If you update ESXi hosts to ESXi 7.0 Update 1 (Build 16850804 or greater), you can revert the evaluation license back to your normal license.