ahreehong
commented
5 months ago Hello @janre Exluding the CCM from deployment in workload clusters is currently not supported on EKS-Anywhere.
https://github.com/kubernetes-sigs/cluster-api-provider-vsphere/issues/924 There is an upstream CAPV ticket that includes a bit more context on this specific use-case if you would like to read further.
Please note, this inquiry is aimed at seeking clarification and understanding rather than reporting an issue.
Hello EKS Anywhere Team,
I'm currently utilizing EKS Anywhere to manage Kubernetes clusters in an on-premise environment, specifically with VMware vSphere as the underlying infrastructure.
My query revolves around the use of the vsphere-cloud-controller-manager (CCM) within the worker clusters managed by EKS Anywhere. Given the architecture of EKS-A, with a clear distinction between management and worker clusters, and considering the management cluster handles the lifecycle operations of worker clusters (including VM creation and management), I'm exploring the possibility of minimizing the footprint and permissions required in worker clusters. Specifically, I'm interested in understanding if deploying the CCM in worker clusters is mandatory for EKS-A operations, or if it's optional.
One of my primary motivations is to avoid storing vSphere credentials within each worker cluster to reduce the security surface area. This leads me to the following questions:
I aim to streamline the operation and security posture of my clusters while ensuring that we can still fully utilize the capabilities of EKS Anywhere in a vSphere environment. Any guidance, insights, or documentation you could provide on this matter would be greatly appreciated.
Thank you for your time and assistance.
Best regards, Jan