Over the last seven years, VMware (now part of Broadcom) has been a leading force in Kubernetes innovation, contributing heavily to key open-source projects like etcd, Cluster API, Velero, Contour, Harbor, Antrea, and more.
Today, Broadcom continues this momentum with VMware vSphere Kubernetes Service (VKS) – a powerful, upstream conformant, Certified Kubernetes distribution integrated directly into VMware Cloud Foundation (VCF). Fully included at no extra cost and backed by Broadcom’s enterprise-grade support, VKS makes Kubernetes simpler, faster, and more accessible for enterprises.
With VKS, organizations can now experience Kubernetes on vSphere the way it was always meant to be – simple to deploy, enterprise-ready, and fully integrated. It brings together intuitive self-service and out-of-the-box Kubernetes capabilities to accelerate your journey.
With familiar interfaces (GUI, CLI, API) and integrated automation provided by VCF, your platform and cloud teams can confidently deploy and scale Kubernetes without the steep learning curve.
For a detailed guide on getting started with VKS, check out our previous blog on enabling VKS with vSphere Supervisor. Additionally, explore our latest blog highlighting the exciting updates in the recent GA Release, VKS 3.4, and discover how VKS can significantly elevate your Kubernetes experience.
Now, let’s explore the exciting new capabilities available through VKS Add-ons. VKS Add-ons extend VKS clusters with additional capabilities. They are categorized as Core Packages and Standard Packages, designed to further simplify, secure, and supercharge your Kubernetes deployments.
Core vs Standard Packages in VKS
| Aspect | Core Packages | Standard Packages |
| How are they defined | Foundational components that are pre-installed, lifecycle-managed, and fully runtime-supported by Broadcom as part of the vSphere Kubernetes release (VKr). These packages ensure the essential functionality, security, and infrastructure integration required for a VKS cluster to operate reliably on vSphere. | Curated set of open-source Kubernetes add-ons that are delivered through standard package repositories, and integrated with the VMware vSphere Kubernetes Service to enhance the capabilities of VKS clusters. Users can opt-in to consume as per operational needs |
| Lifecycle Management | Tightly coupled with the Kubernetes version used by the VKS cluster. They are automatically delivered and upgraded as part of the Kubernetes cluster upgrade process, ensuring consistency and compatibility | Follow an independent release cadence and are currently upgraded separately by the user, outside of the Kubernetes upgrade cycle. |
| Support Scope | Full runtime support | Installation & upgrade support (select runtime support like Istio). Refer to the latest SPD here. |
| Deployment Target | Installed by default on VKS Cluster as part of VKr | Optional – Installed on VKS cluster by user/administrator |
| Alignment with VKr | Version-locked and bundled within VKr | Compatible and validated with each VKr |
Core Packages Categorised by Functionality
| Functional Area | Core Packages |
| Authentication & Access | Pinniped: Authentication via external identity providers (OIDC & LDAP) auth-service: Authenticating webhook for validating administrator credentials |
| Storage | vSphere CSI Driver: Container Storage Interface for vSAN and VMFS persistent volume provisioning |
| Networking (CNI) | Antrea or Calico: Default Container Network Interface (CNI) for pod networking and policies; Antrea is required with Istio |
| Cloud Provider Integration | vSphere CPI: Cloud Provider Interface for node metadata and load balancer provisioning |
| DevOps Tooling, Secret & Package Management | kapp-controller: Declarative add-on management via Carvel secretgen-controller: Export/import secrets between namespaces; generate certificates, passwords, and keys; construct secrets from templates |
Why Core Packages Matter – The Foundation of Seamless Kubernetes on VCF
Core packages are not just technical dependencies, they’re foundational building blocks that empower a secure, performant, and production-grade Kubernetes experience within VCF. These packages are pre-installed, pre-enabled and lifecycle-managed by Broadcom, removing operational burden from vSphere admins and platform teams.
With Core Packages:
- Security and Access are seamlessly handled through integrated authentication and identity services (e.g., auth-service, Pinniped), ensuring every cluster is compliant from Day 1.
- Infrastructure Integration just works – storage, networking, and node provisioning are fully wired into vSphere via well-tested integrations like CSI, CPI, and CNI, without needing manual alignment or additional drivers.
- Operational simplicity is built-in with packages like kapp and secretgen-controller, which enable reliable add-on extensibility and secure distribution of secrets across namespaces
Unlike alternative platforms – where admins must configure and maintain integrations between Kubernetes and vSphere – VCF and VKS eliminate this complexity. Broadcom directly manages compatibility across these core components, ensuring smooth operations and reduced risk of upgrade failures. This unified approach means fewer support calls, more time for innovation, and confidence that your Kubernetes environment is always aligned and production-ready.
In short, Core Packages aren’t optional – they’re what make VKS clusters “just work” inside VCF, from secure provisioning to scalable day-2 operations.
Core Packages: Aligned, Version-Locked, and Reliably Scheduled with VKr
Since core packages are bundled directly with VKr, they are version-locked to the VKr release stream and follow its structured lifecycle. While VKr minor versions typically ship every four months, patch releases are driven by internal service-level objectives. Broadcom also maintains the flexibility to expedite delivery of critical or high-severity fixes, including CVEs, often within days of upstream disclosure, ensuring enterprise-grade responsiveness. Refer to VMware Security Advisories.
Standard Packages categorised by Functionality
| Functional Area | Standard Packages |
| Networking | Contour: Envoy-based ingress controller for HTTP/HTTPS traffic routing Istio: (from v2025.6.17) : Service-to-service communication with mTLS, load balancing, traffic management and observability, and pluggable policy ExternalDNS: Automatically managed DNS records for services and ingresses |
| Security & Identity | Cert-Manager: TLS certificate provisioning and renewal Windows gMSA: Enable Windows pods to use Active Directory service accounts |
| Observability | Fluent Bit: Lightweight processing and forwarding for container logs Telegraf: Plugin-driven agent for shipping metrics Prometheus & Alertmanager : Time-series monitoring database with alerting system |
| DevOps Tooling | Harbor: Container registry with vulnerability scanning (Trivy) and signing (co-sign) |
| Scaling & Resilience | Cluster Autoscaler: Automatically scale Kubernetes node pools based on pod resource demands Velero: (from v2025.6.17 onwards): Backup and recovery for cluster resources and persistent volumes |
Why Standard Packages Matter – Unlocking Enterprise-Grade Kubernetes Add-ons
Standard packages extend the power of VKS beyond the essentials, delivering curated, enterprise-ready capabilities for observability, security, ingress, policy management, and more. These packages are rigorously validated and lifecycle-managed by Broadcom to integrate seamlessly into your VCF environment.
With Standard Packages:
- Consistent Experience across environments is guaranteed. Every package is pre-tested and version-aligned with your vSphere-based Kubernetes clusters – no guesswork or compatibility headaches.
- Lifecycle Support comes built-in. Unlike DIY open-source deployments where support falls on internal teams, these packages are backed by Broadcom with installation and upgrade support, giving customers peace of mind. Refer to Support guidelines here.
- Day-2 Operations Are First-Class – upgrades, monitoring, and compliance workflows are natively supported, reducing operational overhead and risk during lifecycle transitions.
- Frictionless Consumption is enabled via Broadcom-curated repositories, with packages easily deployed and managed through Carvel tooling and VCF-integrated UI/CLI interfaces.
Critically, while other platforms often require customers to manually source, configure, and maintain open-source add-ons (which may not be version-aligned or tested for their specific Kubernetes version), VKS removes that burden entirely. You get a reliable, validated path to adopt critical Kubernetes ecosystem capabilities – without the complexity or support gaps.
In essence, Standard Packages represent the next layer of enterprise value in VKS, thoughtfully selected and tightly integrated to accelerate your Kubernetes journey with confidence.
Understanding Standard Package Releases: Predictable Cadence and Flexible Delivery
Each Standard Package release adheres to a clear versioning convention of vYYYY.M.DD. For example, the January release (2025.1.7) marked the first official launch of Standard Packages, complete with detailed release notes. You can access our latest Standard Package release notes, currently version 2025.6.17 at the time of this blog publication here.
Standard Packages are curated collections of open-source Kubernetes add-ons which can be deployed based on user-specific operational needs. Due to their user-managed nature, these packages can be published independently, without strict dependencies on the release cadence of other components. However, Broadcom typically synchronizes Standard Package release announcements and documentation updates with the VKr minor release cycle to maintain consistency.
To summarize our Standard Package release cadence clearly:
- Minor Releases: New Standard Package minor releases align with VKr’s minor release every four months, corresponding with the upstream Kubernetes release schedule.
- Patch Releases: Patches are released as and when necessary, in alignment with VKr’s patch release schedule
- Critical Updates: Broadcom retains the capability to swiftly deliver critical or catastrophic fixes, including CVE patches, as outlined in the VMware Security Advisories.
Standard Package Upgrades: Ensuring Smooth, Community-Aligned, and Extended Support Releases
When upgrading individual Standard Packages, Broadcom adheres to the following criteria to ensure consistency and reliability:
- Version Compatibility: Each minor release must support seamless upgrades from the immediately preceding version.
- Community Alignment: Upgrades follow the recommended upgrade paths established by the open-source community for each package.
- Patch Selection: Broadcom carefully selects the most appropriate patch from the latest minor version, balancing customer value, compatibility, and stability—while aligning release timing with VKr’s broader delivery cadence
- Extended Support (ES): Broadcom prioritizes adopting ES versions of packages over non-ES releases, unless specific business requirements or customer needs dictate otherwise.
Enhanced Compatibility Insights: Broadcom Expands Standard Package Repo Version and VKr Compatibility Tracking
With support for async VKS and Supervisor releases, Broadcom enables customers to decouple upgrades and track compatibility across VKS and vCenter versions with full transparency.
With this shift, Broadcom now offers clear compatibility mapping between Standard Package Repositories and VKR versions as well — empowering customers to upgrade packages and Kubernetes components without being gated by vCenter release cycles.
Existing customers can now leverage Broadcom’s interoperability tool to easily verify end-to-end compatibility across their entire deployment stack, from vSphere and Supervisor Cluster, to VKS, VKr, and now the Standard Package release.
Standard Packages : Releases in the Last 6 Months
Here’s a concise inter-op view of all the Standard Package Releases that have reached General Availability since January 2025, along with their compatible VKr versions. For a deeper dive into the expanded compatibility matrix, including details beyond VKr versions, please consult the respective VKr, VKS, and VCF release notes. You can also explore package-level compatibility in greater detail using the Broadcom InterOp tool here
From Tanzu to VKS Re-branding: A New Era for Kubernetes on vSphere
As part of our commitment to simplifying the VCF portfolio, we’ve rebranded our embedded Kubernetes offering. What was formerly known as Tanzu Kubernetes Grid Service (TKGs) is now unified under a single, intuitive name: vSphere Kubernetes Service (VKS).
This rebrand isn’t just about naming, it’s about clarity, consistency, and helping you get the most out of your Kubernetes investment with VCF.
What’s Changing, and Why It Matters
In October 2024, the TanzuKubernetesCluster (TKC) API was deprecated with the release of TKG Service 3.2.0. Following that, a broader naming alignment took place in early 2025:
- Tanzu Kubernetes Grid Service → vSphere Kubernetes Service (VKS)
- Tanzu Kubernetes release (TKr) → vSphere Kubernetes release (VKr)
These changes were officially announced in the VKS 3.3 GA release on March 4, 2025, and signal a full transition to a VKS-centric experience moving forward.
Note(s)
- The deprecated TKC API cannot be used to create clusters with Kubernetes version v1.33 or later.
- To upgrade an existing cluster to v1.33 or later, you must first migrate away from the TKC API for that cluster.
- Creating clusters using v1.32 or earlier with the TKC API remains supported.
- If you’re using an earlier version of VCF, you may still see references to “Tanzu” or “TKG” in the UI or CLI. These will transition to “VKS” and “VCF” terminology as you upgrade to the latest versions.
Standard Packages: Now Fully Aligned
Starting with Standard package release v2025.6.17, all standard packages, previously under the “Tanzu” naming convention, have been fully rebranded under the VKS namespace. This update makes it easier to identify which components are responsible for critical functions like in-cluster networking, storage integration, and observability.
New Package Naming Convention:
<package-name>.kubernetes.vmware.com
Example:
- istio.kubernetes.vmware.com → 1.25.3+vmware.1-vks.1
- velero.kubernetes.vmware.com → 1.16.1+vmware.1-vks.1
Upgrade Guidance
When upgrading from an older, pre-rebrand package, be sure to reference the new package name and version:
vcf package installed update <package-installed-name> -p <new-package-name> –version <new-package-version>
Keep Your CLI in Sync
To ensure compatibility with the latest packages and VKS versions:
- If you’re running VKS 3.4.0+, the VCF CLI auto-syncs the package plugin based on your VKS version.
- If you’re using VKS 3.3.x or earlier, you’ll need to manually update the plugin:
vcf cli plugin install package –version <expected_version>
These changes bring better alignment across the VKS experience, from APIs and releases to package management and plugin behavior. Whether you’re deploying a new cluster or maintaining existing workloads, VKS now offers a more intuitive and future-ready foundation for your cloud-native operations on vSphere.
Stay tuned as we continue to streamline and evolve the VKS ecosystem to meet the needs of modern Kubernetes platforms and watch out for our next Blog to know more on Latest Additions, Upgrades, Enhancements in VKS add-on space.
