-
Notifications
You must be signed in to change notification settings - Fork 68
/
admission-plugins-disable.html.md.erb
87 lines (68 loc) · 4.9 KB
/
admission-plugins-disable.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---
title: Deactivating Admission Control Plugins for Tanzu Kubernetes Grid Integrated Edition Clusters
owner: TKGI
---
This topic describes how to deactivate VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) cluster admission control plugins.
For more information about Admission Control Plugins, see [Using Admission Control Plugins for Tanzu Kubernetes Grid Integrated Edition Clusters](./admission-plugins.html).
##<a id='admission-plugin-disable-single'></a> Deactivating a Single Admission Control Plugin
To deactivate a single admission control plugin, do the following:
1. Log in to VMware Tanzu Operations Manager (Ops Manager).
1. Click the Tanzu Kubernetes Grid Integrated Edition tile.
1. Select the plan where you configured the admission control plugin, such as **Plan 1**.
1. Deselect the admission control plugin.
1. Click **Save**.
1. In the **Errands** pane, verify that **Upgrade all clusters errand** is activated.
1. Return to **Installation Dashboard** and select **Review Pending Changes**.
1. Click **Apply Changes**.
Alternatively, instead of enabling **Upgrade all clusters errand**,
you can upgrade individual Kubernetes clusters through the TKGI Command Line Interface (TKGI CLI).
For instructions on upgrading individual Kubernetes clusters, see [Upgrading Clusters](upgrade-clusters.html).
##<a id='admission-plugin-disable'></a> Deactivating an Orphaned Admission Control Plugin
The Ops Manager UI does not let you deselect (deactivate) all admission control plugins.
In other words, after an admission control plugin is activated,
the Ops Manager UI requires that at least one admission control plugin check box is selected (activated).
To deactivate an orphaned Admission control Plugin, complete the following workflow:
1. Obtain the FQDN, user name, and password of your Ops Manager.
1. Authenticate into the Ops Manager API and retrieve a UAA access token to access Ops Manager.
For more information, see [Using the Ops Manager API](https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-operations-manager/3-0/tanzu-ops-manager/install-ops-man-api.html).
1. Obtain the BOSH deployment name for the Tanzu Kubernetes Grid Integrated Edition tile by doing one of the following options:
1. Option 1: Use the Ops Manager API:
1. In a terminal, run the following command:
```
curl -i "https://OPS-MAN-FQDN/api/v0/staged/products" -X GET -H "Authorization: Bearer UAA-ACCESS-TOKEN" -k
```
1. In the output, locate the `installation_name` that begins with `pivotal-container-service`.
1. Copy the entire BOSH deployment name, including the unique GUID. For example, `pivotal-container-service-4b48fc5b704d54c6c7de`.
1. Option 2: Use the Ops Manager UI:
1. In Ops Manager, click the Tanzu Kubernetes Grid Integrated Edition tile.
1. Copy the BOSH deployment name including the GUID from the URL:
<img src="images/pks-guid.png" alt="TKGI GUID">
<br/><br/>
The deployment name contains "pivotal-container-service" and a unique GUID string. For example, `pivotal-container-service-4b48fc5b704d54c6c7de`.
1. To deactivate the orphaned admission control plugin, run the following Ops Manager API command:
```
curl -i "https://OPS-MAN-FQDN/api/v0/staged/pivotal-container-service-GUID/properties" \
-H "Authorization: Bearer UAA-ACCESS-TOKEN" \
-X PUT -d '{"properties": {".properties.PLAN-NUMBER_selector.active.admission_plugins":{"value":[]}}}' \
-H "Content-Type: application/json"
```
Where:
* `OPS-MAN-FQDN` is the URL of your Ops Manager.
* `pivotal-container-service-GUID` is the BOSH deployment name of your Tanzu Kubernetes Grid Integrated Edition that you retrieved earlier in this procedure.
* `UAA-ACCESS-TOKEN` is the UAA token you retrieved earlier in this procedure.
* `PLAN-NUMBER` is the plan configuration you want to update. For example, `plan1` or `plan2`.
For example:
```console
$ curl -i "https://pcf.example.com/api/v0/staged/products/pivotal-container-service-4b48fc5b704d54c6c7de/properties" \
-H "Authorization: Bearer aBcdEfg0hIJKlm123.e" \
-X PUT -d '{"properties": {".properties.plan1_selector.active.admission_plugins":{"value":[]}}}' \
-H "Content-Type: application/json"
```
1. From the output, verify that the command returns a `HTTP 200` status code.
1. Validate your manifest change in the Ops Manager UI. Do the following:
1. Log in to Ops Manager.
1. Select **Review Pending Changes**.
1. On the Review Pending Changes pane, navigate to the Tanzu Kubernetes Grid Integrated Edition section and select **SEE CHANGES**.
1. Verify that the admission control plugins are displayed as removed in the **Manifest** section. For example:
<img src="images/admission-plugin-disable-multiple.png" alt="Manifest diff displays removed admission control plugins">
1. Click **Apply Changes**.