Deploying NSX-T v2.4 for Enterprise PKS

Page last updated:

To deploy NSX-T for Enterprise Pivotal Container Service (Enterprise PKS), complete the following set of procedures, in the order presented.

Note: The instructions provided in this topic are for NSX-T v2.4. If you are using NSX-T v2.3.1, see Deploying NSX-T v2.3.1 for Enterprise PKS.

Prerequisites

Before you begin this procedure, ensure that you have successfully completed all preceding steps for installing Enterprise PKS on vSphere with NSX-T, including:

NSX-T v2.4 Management Interfaces

This section describes the NSX-T v2.4 management interface options, differences, use cases, and recommendations.

Note: NSX-T v2.4 implements a new Policy API and a new NSX Manager user interface (UI) based on the Policy API. Enterprise PKS does not support the Policy API or Policy-based UI. Enterprise PKS supports the NSX Management API, which is exposed via the “Advanced Networking” tab of the of the NSX Manager UI. When installing and configuring NSX-T v2.4 for use with Enterprise PKS, use the “Advanced Networking and Security” tab to create any required networking objects.

With NSX-T 2.4 you have two options to interact with NSX Manager:

  1. Simplified UI/API

    • New declarative interface introduced in NSX-T 2.4 that uses the new Declarative API/Data Model (Policy API).
    • The NSX-T Container Plugin (NCP) that is embedded in the Enterprise PKS tile does not support the Policy API at this time.
    • You cannot use the Simplified UI/API to manage NSX-T for use with Enterprise PKS upgrades and new installations.
  2. Advanced UI/API

    • Legacy imperative interface based on the NSX Management API.
    • Provides the NSX-T v2.3 user interface to address Enterprise PKS installation and upgrade use cases. Currently NCP only supports the Management API.
    • The Advanced UI/API will be deprecated over time; all features and use cases will eventually be transfered to the Simplified UI/API.

As shown in the picture below, for all Enterprise PKS workloads, use the Advanced Networking and Security tab to create, read, update, and delete required network objects. For NSX-T host preparation and configuration, such as deploying NSX Managers and Edge Nodes, use the System tab. Do not use the “Simplified UI” for Enterprise PKS objects.

NSX-T v2.4 User Interface

Note: The NSX-T Container Plugin (NCP) that is embedded in the Enterprise PKS tile does not currently support the Policy API. Make sure you use the **Advanced Networking and Security** tab of the of the NSX Manager UI when configuring NSX-T for use with Enterprise PKS.

Upgrading to PKS v1.4 and NSX-T v2.4

In the case of upgrade from NSX-T v2.3 to v2.4, the existing NSX-T v2.3 configuration is copied to NSX-T v2.4 under the Advanced Networking and Security tab. The network objects required by PKS can only be managed from this user interface. In other words, this configuration will not be shown in the Simplified UI. When you upgrade to NSX-T v2.4, the Simplified UI will show a information banner that indicates the objects are available in the “Advanced Networking” tab.

For instructions on upgrading NSX-T from v2.3 to v2.4 for Enterprise PKS, see Upgrading Enterprise PKS with NSX-T.

Installing PKS v1.4 with NSX-T v2.4

To perform a new installation of NSX-T v2.4 with Enterprise PKS v1.4, see Installing Enterprise PKS 1.4.1 and NSX-T v2.4.1.

Updating the NSX Manager Password for NSX-T v2.4

VMware NSX-T Data Center v2.4 introduces the following password policy enhancements:

  • Enforces minimum password length of 12 characters for default passwords.
  • Introduces ability to set password expiration times and generates alarms when password is about to expire.

The default password expiration interval is 90 days. After this period, the NSX-T administrator password will expire on all NSX-T Manager Nodes and all NSX-T Edge Nodes.

Note: For existing Enterprise PKS deployments, anytime the NSX-T password is changed you must update the BOSH and PKS tiles with the new passwords. See Managing Infrastructure Password Changes for more information.

Update the Password for NSX Manager Nodes

To update the NSX Manager password, perform the following actions on one of the NSX Manager nodes. The changes will be propagated to all NSX Manager nodes.

SSH to one of the NSX Manager nodes

To manage user password expiration, you use the CLI on one of the NSX Manager nodes.

To access a NSX Manager node, from Unix hosts use the command ssh USERNAME@IP_ADDRESS_OF_NSX_MANAGER.

For example:

ssh admin@10.196.188.22

On Windows, use Putty and provide the IP address for NSX Manager. Enter the user name and password that you defined during the installation of NSX-T.

Get the password expiration interval

To get the password expiration interval, use the command get user USERNAME password-expiration.

For example:

NSX CLI (Manager, Policy, Controller 2.4.1.0.0.13716579). Press ? for command list or enter: help
nsx-manager> get user admin password-expiration
Password expires 90 days after last change

Update the user password

To update the user password, use the command set user USERNAME password NEW-PASSWORD old-password OLD-PASSWORD .

For example:

set user admin password my-new-pwd old-password my-old-pwd

Set the password expiration interval

To set the password expiration interval, use the command set user USERNAME password-expiration PASSWORD-EXPIRATION.

For example, the following command sets the password expiration interval to 120 days:

set user admin password-expiration 120

Remove the password expiration interval

To remove password expiration, use the command clear user USERNAME password-expiration.

For example:

clear user admin password-expiration

Update the Password for NSX Edge Nodes

To update the NSX Edge Node password, perform the following actions on each NSX Edge Node.

Enable SSH

SSH on the Edge Node is disabled by default. You have to enable SSH on the Edge Node using the the Console from vSphere.

start service ssh
set service ssh start-on-boot

SSH to the NSX Edge Node

For example:

ssh admin@10.196.188.25

Get the password expiration interval for the Edge Node

For example:

nsx-edge> get user admin password-expiration
Password expires 90 days after last change

Update the user password for the Edge Node

For example:

nsx-edge> set user admin password my-new-pwd old-password my-old-pwd

Set the password expiration interval

For example, the following command sets the password expiration interval to 120 days:

nsx-edge> set user admin password-expiration 120

Remove the password expiration interval

For example:

nsx-edge> clear user admin password-expiration
nsx-edge> get user admin password-expiration
Password expiration not configured for this user

Please send any feedback you have to pks-feedback@pivotal.io.