In a nutshell…VMware TKGm and vNKP on Hosted Private Cloud

As the end of the year approaches, our Hosted Private Cloud powered by VMWare offer welcomes two important features enabled by the vSphere 7 update: Tanzu Kubernetes Grid multicloud (TKGm) and vSphere Native Key Provider (vNKP).

As much as « Tanzu » was expected and follows the release of Tanzu CE, the availability of vNKP can come as a surprise.

Let’s see TKGm first:
It is VMware implementation of Kubernetes (K8S) cluster independently of your environment : on-premises, dedicated Cloud or Public Cloud . This allows your K8S implementation to be under control and secure wherever you run it . You can simply move the TKGm configuration from one site/instance to the other.

With TKGm, sources are hosted, maintained and controled by VMware. That’s more security and stability.

And so it means that you can use your VMware Hosted Private Cloud managed by OVHcloud for your K8S clusters! Benefiting from both OVHcloud and VMware levels of security and reliability.

TKGm is different from the TKGs solution which requires access to the Vsphere layer. And some public instances do not allow this. TKGm gives you the freedom to run it wherever you want it.

In order to maintain interoperability, redundancy and to let you chose the tool you need (Innovation for freedom) OVHcloud proposes the Tanzu implementation on VMware with the least amount of constraints, with security, reversability and ease of migration.

Installation is simplified thanks to a pre-packaged Ubuntu image, ready to be configured. But you can still do it your own way.

Even if the VMware on OVHcloud platform is managed , you stay completely free to manage your containers within a standard offer as well as with our VSAN and NSX-T options.
You can benefit this way from the high-performance NVMe storage and/or the improved NSX-T security for you containers.

The platform being SecNumCloud qualified, your containers benefits from the ANSSI certification as well, should you use this environment.

We have a complete and detailed OVHcloud Hosted Private Cloud by VMware documentation, and should the need arise, our Professionnal Services team can assist you further.

Here you have our Installing Tanzu Kubernetes Grid guide and the official WMware Tanzu Kubernetes Grid documentation.

Let’s see vSphere Native Key Provider (vNKP), vSphere new integrated Key generator.

Included natively and free of charge in VSphere 7.0u2 (thanks to the Enterprise Plus license used at OVHCloud), vNKP brings to your VCenter server and your ESXi an all-incluse key generator and hosting solution for your encryption « at rest » and vTPM.

vNKP is an internal VMware mechanism and can not be accessed outside of your Vcenter/ESXi/VSphere . It is not a standard KMS (Key Management Server).

The immediat benefit is the increased security for your VM without having to subscibe a PCI-DSS or SecNumCloud offer and without having to purchase and maintain a 3rd party KMS… as long as you only use it for your VMware environment.

Integrating encryption key management to Vcenter/VSphere is a step forward increasing simplification of security management… thus increasing security. The easier it is to implement and manage security, the wider the adoption. Which in turn means a more secure platform.

Additionally, integrating the encryption key delivery to your existing platform saves you a lot of headaches regarding redundancy, resilience and access to the KMS. Handling all of these for an external or 3rd party KMS can be complicated, thus expensive. vNKP reduces the complexity of encryption key management for your VMWare environment.

Thanks to this free feature, all your VM can benefit from robust and secure encryption, and if you want to migrate from a 3rd party KMS to vNKP, a simple shallow key operation is required; there is no need for a complete decryption/new encryption process. Completely invisible for the users.

TPM 2.0 support is native through the use of vTPM. Your workload/VM requiring this level of security can now move to OVHcloud without having to invest on real servers on premises with a physical TPM chip.

Of course, as with a 3rd party KMS, regular backups of the key and configuration are highly recommended, but that is not a surprise…

Using vNKP and Vsphere « virtual machine encryption » service allows you not only to encrypt the VM but also their configuration files. This way, you get the benefits of a complete protection from unwanted tampering.

But that doesn’t protect you from data loss or corruption, so backups and/or replication are still highly recommended to recover and keep your business up and running.

For more information, see our guide and the official VMware documentation.

In conclusion, the OVHcloud / VMware platform keeps getting new features. The two described above allow you to migrate and deploy your containers easily on OVHCloud Hosted Private Cloud managed environment and reinforce security using the inegrated Vsphere Key Provider.

More features are coming soon (anyone said «TKGs » ?) and I will have the pleasure to describe them in another article.

+ posts

Technical Marketing Specialist @OVHcloud

About 20 years of experience in HW storage/backup/replication.....