We are excited to announce the general availability of VMware vSphere Kubernetes Service (VKS) 3.3, formerly known as VMware Tanzu Kubernetes Grid (TKG) Service, alongside vSphere Kubernetes release (VKr) 1.32, previously referred to as Tanzu Kubernetes release. This release introduces several key features and enhancements that improve security, scalability, and cluster management.
Support for Upstream Conformant vSphere Kubernetes release 1.32
With VKS 3.3, you can now deploy workload clusters on VKr 1.32, which is based on the latest Kubernetes minor release, 1.32. Keeping up with the latest Kubernetes releases ensures your clusters remain secure, highly performing, and compatible with modern applications. vSphere Kubernetes release 1.32 brings greater efficiency, security, and flexibility to your workloads.
Flexibility to enable OS FIPS Mode
This release introduces a new configuration option to enable FIPS mode at the OS level, ensuring that only FIPS-approved cryptographic modules within the operating system are used. This provides administrators the flexibility to choose if FIPS has to be enabled at the OS level for both Linux and Windows workload clusters. You can enable this feature by customizing the ‘osConfiguration’ cluster class variable. Ubuntu-based vSphere Kubernetes releases may require an Ubuntu Pro subscription to enable this feature. More information is available in the documentation.
If your organization operates in a regulated industry (such as government, finance, healthcare, etc.) FIPS compliance is critical for meeting security requirements and reducing compliance risks.
Transitioning to Cluster API
As announced in the VKS 3.2 release documentation, the TanzuKubernetesCluster API will be removed no sooner than June 2025. VKS 3.3 introduces a streamlined mechanism to shift TKC-based clusters to Cluster API-based bootstrapping and configuration of your workload clusters. Transitioning to Cluster API ensures better automation and future compatibility. Organizations should start planning their transition to Cluster API now to avoid disruption when TKC API is removed. Get Started with the Cluster API transition today!
Other Notable Enhancements
Windows Node Integration with Active Directory (gMSA Support) – Starting from VKS Service 3.3, you can now join Windows nodes to on-premises Active Directory instance Use Group Managed Service Accounts (gMSAs) for secure authentication. You can automate joining of Windows nodes to an Active Directory domain in an organizational unit, and add nodes to a security group that you can designate for accessing gMSAs. Enterprises that use Active Directory for identity management can now easily integrate Windows-based Kubernetes workloads, improving security and operational efficiency. You can read more about this in the documentation.
Cluster Autoscaler: Scale to and from Zero – VKS 3.3 introduces the ability to scale clusters up from zero or down to zero worker nodes when using VKr versions 1.31.4 and later–a feature that was previously unavailable since the introduction of the Cluster Autoscaler in vSphere 8.0 U3. This provides cost savings and resource efficiency by allowing workloads to dynamically scale down to zero when not in use, optimizing infrastructure costs and improving resource availability in cases of burst workloads and seasonal applications.
Upgrade Guard Rails for Smoother upgrade Experience
Upgrading across multiple versions can introduce challenges, particularly with deprecated resources. In VKr 1.31.1, Antrea 2.1 deprecated some CRDs and introduced new storage versions. When upgrading workload clusters to VKr minor version 1.31 from any available version of 1.30.x, deprecated objects of Antrea CRDs must be replaced with the latest storage version objects.
- Upgrade to VKr 1.31.1 – Before this upgrade, a minimal set of manual instructions provided in the Release Notes of 1.31.1 must be followed. If not, this upgrade could fail.
- Upgrade to VKr 1.31.4 – Upgrading to the VKR 1.31.4 automatically replaces the deprecated Antrea CRDs, so administrators need not perform any manual steps here.
VKS 3.3 has built in guard rails to avoid any potential upgrade failures. If your workload cluster is on Kubernetes release 1.30.x and you have upgraded to VKS 3.3, upgrading to Kubernetes release 1.31.1 is blocked. Instead, you can upgrade to 1.31.4 directly which does not require manual steps. If your workload cluster is on VKr 1.31.1, upgrading to VKS 3.3 is blocked by design. You must first upgrade the workload cluster to VKr 1.31.4.
Final Thoughts
vSphere Kubernetes Service 3.3 brings stronger security, improved scalability, optimized cost saving, and enhanced cluster lifecycle management to help customers optimize their Kubernetes environments.
| Feature | Why it matters? |
|---|---|
| Kubernetes 1.32 Support | Stay secure, up-to-date, and take advantage of the latest Kubernetes features. |
| OS FIPS mode configuration option | Provides administrators a simple, flexible way to enable the OS FIPS configuration option, so that they can meet compliance and security standards with government-approved cryptography. |
| Transition to Cluster API | Cluster API provides a mature, feature-rich, and versionable approach to handling cluster lifecycle operations. Future-proof your cluster management with Cluster API |
| Windows AD Integration | Secure authentication for Windows-based workloads using Active Directory. |
| Ability to scale Clusters up from Zero and down to Zero nodes | Save costs with dynamic scaling for seasonal or bursty workloads. |
| Upgrade Guardrails | Prevent misconfigurations and ensure smooth, error-free upgrades. |
Resources
- vSphere Kubernetes Service 3.3 Release notes (also referred to as TKG Service 3.3 in some pages)
- vSphere Kubernetes release 1.32.0 Release notes (also referred to as Tanzu Kubernetes releases in some pages)
- vSphere Kubernetes release 1.31.4 Release notes
- Blog : Embracing Open Standards: Transitioning vSphere Kubernetes Clusters to native Cluster API
