VMware Deployed Cluster Logical Diagram
Purpose: For platform engineers, shows the logical layout of a fully deployed openCenter Kubernetes cluster on VMware vSphere — namespaces, service placement, and inter-component communication.
Simplified Overview
Namespace Layout
| Namespace | Services | Purpose |
|---|---|---|
flux-system | Source, Kustomize, Helm, Notification controllers | GitOps reconciliation engine |
olm | Operator Lifecycle Manager, OLM Catalog | Installs and manages operators (Kafka, Keycloak, etc.) |
cert-manager | cert-manager, ClusterIssuers | Automated TLS certificate lifecycle |
kyverno | Kyverno engine, admission webhook | Policy enforcement (17 baseline policies) |
keycloak | Keycloak, PostgreSQL | Identity and access management via OIDC |
rbac-manager | RBAC Manager | Declarative RBAC from Keycloak group claims |
metallb-system | MetalLB speakers, controller | Bare-metal load balancer (L2/BGP) |
kube-system | kube-vip | Virtual IP for control-plane HA (stable API server endpoint) |
gateway-system | Gateway API controller, HTTPRoutes | L7 traffic routing |
observability | Prometheus, Grafana, Alertmanager, Loki, Promtail, Tempo, OTel Collector, Kafka | Metrics, logs, traces, event streaming, and alerting |
vmware-system-csi | vSphere CSI driver, syncer | VMDK-backed persistent volume provisioning |
harbor | Harbor Core, Registry, Trivy | Private container registry with vulnerability scanning |
headlamp | Headlamp UI, branding plugin | Kubernetes web dashboard with OIDC authentication |
velero | Velero server | Cluster backup and disaster recovery |
customer-apps | Customer deployments | Application workloads routed via Gateway API |
Data Flow Summary
- Ingress path: External traffic → MetalLB → Gateway API → HTTPRoute → Application Service → Pod
- Control-plane HA path: kube-vip elects leader on control-plane nodes → advertises virtual IP → all clients/nodes reach Kubernetes API via stable VIP
- GitOps path: Git push → FluxCD Source Controller → Kustomize/Helm Controller → Kubernetes API → Resources deployed
- Secrets path: SOPS-encrypted YAML in Git → FluxCD decrypts with Age key → Kubernetes Secret created
- Observability path: Pods emit metrics/logs/traces → OpenTelemetry Collector → Kafka → Prometheus + Loki + Tempo → Grafana dashboards
- Policy path: Resource admission → Kyverno webhook → validate against 17 ClusterPolicies → admit or reject
- Auth path: User login → Keycloak OIDC → JWT with group claims → RBAC Manager → RoleBindings → API Server authorization
- Headlamp path: Operator browser → MetalLB → Gateway API → Headlamp UI → Keycloak OIDC login → Kubernetes API (scoped by RBAC)
- OLM path: FluxCD deploys OLM → OLM installs operators from catalog → operators provision Prometheus, Keycloak, and other stateful services
- Storage path: PVC created → vSphere CSI driver → vCenter API → VMDK provisioned on datastore → volume attached to VM
VMware-Specific Differences
| Concern | Generic Cluster | VMware Cluster |
|---|---|---|
| Storage backend | Longhorn (distributed block storage) | vSphere CSI (VMDK on vSphere datastores) |
| Storage namespace | longhorn-system | vmware-system-csi |
| Volume provisioner | driver.longhorn.io | csi.vsphere.vmware.com |
| External dependency | None (self-contained) | vCenter Server API access required |
| Drift detection | N/A | Compares declared nodes against vCenter VM inventory |
Related
- Logical Diagram — generic cluster architecture
- VMware Setup — step-by-step provider configuration
- vSphere CSI — StorageClass and volume provisioning
- Drift Detection — infrastructure drift monitoring