Managing Kubernetes Cluster Inspection with Tanzu Mission Control

VMware Tanzu Mission Control (TMC) is a conformant Kubernetes lifecycle management solution that supports different functions like Cluster provisioning, backup, inspection, policy management and many more.

In this blog post, I will help you to understand about Cluster Inspection. It is one of the TMC feature that you can use either from TMC GUI or CLI or API and trigger a predefined inspection rules. As of today, TMC supports three inspection rules:

  • The Conformance inspection validates the binaries running on your cluster and ensures that your cluster is properly installed, configured, and working. You can view the generated report from within Tanzu Mission Control to assess and address any issues that arise. For more information, see the Kubernetes Conformance documentation at
  • The CIS benchmark inspection evaluates your cluster against the CIS Benchmark for Kubernetes published by the Center for Internet Security. This inspection type is available in Tanzu Mission Control only if you are using Tanzu Advanced Edition.
  • The Lite inspection is a node conformance test that validates whether nodes meet requirements for Kubernetes. For more information, see Validate node setup in the Kubernetes documentation.

Pre-requirement for running an Inspection

  • Cluster is onboarded (either attached or provisioned)

Steps to run a Cluster Inspection

As I mentioned above, there are multiple ways to trigger an inspection against a Kubernetes Cluster.

Running an Inspection from TMC UI

  • Login to TMC console
  • Click on Clusters option from the left navigation menu and click on a cluster name then click Inspections tab
  • Click Run Inspection and select the inspection you want to run.
  • Once you click on the inspection type, It will start the inspection and you can monitor the progress on the UI.
  • Once the test is completed, you can click on the Result and it will display the test ran.
  • Similarly, If i click on the Conformance test, you will see many tests was ran.
  • It’s important to understand that, in case you are provisioning a cluster from TMC, it ensures that the cluster provisioned is CIS compliant and CNCF conformant. That’s really a great part of TMC and TKG together.
  • In case you are looking to execute a similar test using tmc cli you can use the following command after tmc cli is installed and configured.
❯ tmc cluster inspection scan  create  --inspection-type LITE --cluster-name tkgonazure --management-cluster-name dt-tkg-on-azure --provisioner-name default
i using template "default"
√ scan "24707a53-9bae-4ca0-a52c-ab2a252961e0" is being created

  • If you want to list the total number or inspection ran against a cluster, use the following command.
  • To know more about a particular scan using tmc cli , run the following command.
tmc cluster inspection scan  get 43a6c12f-ecad-4531-a7f7-162c55712885  --cluster-name tkgonazure --management-cluster-name dt-tkg-on-azure --provisioner-name default 

Here are more resources for your reference:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s