VMware VKS
AI-powered VMware vSphere with Tanzu (VKS) management — 20 MCP tools.
Requires vSphere 8.x+ with Workload Management enabled.
Companion skills: vmware-aiops (VM lifecycle), vmware-monitor (monitoring), vmware-storage (storage), vmware-nsx (NSX networking), vmware-nsx-security (DFW/firewall), vmware-aria (metrics/alerts/capacity), vmware-avi (AVI/ALB/AKO).
| vmware-pilot (workflow orchestration) | vmware-policy (audit/policy)
What This Skill Does
| Category | Capabilities | Count |
|---|
| Supervisor | Compatibility check, status, storage policies | 3 |
| Namespace |
List, get, create with quotas, update, delete with TKC guard, VM classes | 6 |
|
TKC Clusters | List, get, versions, create, scale, upgrade, delete with workload guard | 7 |
|
Access | Supervisor kubeconfig, TKC kubeconfig, Harbor registry, storage usage | 4 |
Quick Install
CODEBLOCK0
When to Use This Skill
- - Check if vSphere environment supports VKS/Tanzu
- Create, update, or delete Supervisor Namespaces with resource quotas
- Deploy, scale, upgrade, or delete TKC (TanzuKubernetesCluster) clusters
- Get kubeconfig for Supervisor or TKC clusters
- Check Harbor registry info or storage usage
Use companion skills for:
- - VM lifecycle, deployment → �INLINECODE0
- Inventory, health, alarms → �INLINECODE1
- iSCSI, vSAN, datastore → �INLINECODE2
- Load balancing, AVI/ALB, AKO, Ingress → �INLINECODE3
Related Skills — Skill Routing
| User Intent | Recommended Skill |
|---|
| Read-only monitoring | vmware-monitor |
| Storage: iSCSI, vSAN |
vmware-storage |
| VM lifecycle, deployment |
vmware-aiops |
| Tanzu Kubernetes (vSphere 8.x+) |
vmware-vks ← this skill |
| NSX networking: segments, gateways, NAT |
vmware-nsx |
| NSX security: DFW rules, security groups |
vmware-nsx-security |
| Aria Ops: metrics, alerts, capacity planning |
vmware-aria |
| Multi-step workflows with approval |
vmware-pilot |
| Load balancer, AVI, ALB, AKO, Ingress |
vmware-avi (
uv tool install vmware-avi) |
| Audit log query |
vmware-policy (
vmware-audit CLI) |
Common Workflows
Deploy a New TKC Cluster
- 1. Check compatibility → �INLINECODE6
- List available K8s versions → �INLINECODE7
- Create namespace (if needed) → �INLINECODE8
- Create TKC cluster → �INLINECODE9
- Get kubeconfig → �INLINECODE10
Scale Workers for Load Testing
- 1. Check current state → �INLINECODE11
- Scale up → �INLINECODE12
- Monitor progress →
vmware-vks tkc get dev-cluster -n dev (watch phase) - Scale back down after test
Namespace Resource Management
- 1. List namespaces → �INLINECODE14
- Check usage → �INLINECODE15
- Update quota → �INLINECODE16
Architecture
CODEBLOCK1
Usage Mode
| Scenario | Recommended | Why |
|---|
| Local/small models (Ollama, Qwen) | CLI | ~2K tokens vs ~8K for MCP |
| Cloud models (Claude, GPT-4o) |
Either | MCP gives structured JSON I/O |
| Automated pipelines |
MCP | Type-safe parameters, structured output |
MCP Tools (20 — 12 read, 8 write)
All accept optional target parameter to specify a named vCenter.
| Category | Tool | Type |
|---|
| Supervisor | INLINECODE18 | Read |
|
get_supervisor_status | Read |
| |
list_supervisor_storage_policies | Read |
|
Namespace |
list_namespaces | Read |
| |
get_namespace | Read |
| |
create_namespace | Write |
| |
update_namespace | Write |
| |
delete_namespace | Write |
| |
list_vm_classes | Read |
|
TKC |
list_tkc_clusters | Read |
| |
get_tkc_cluster | Read |
| |
get_tkc_available_versions | Read |
| |
create_tkc_cluster | Write |
| |
scale_tkc_cluster | Write |
| |
upgrade_tkc_cluster | Write |
| |
delete_tkc_cluster | Write |
|
Access |
get_supervisor_kubeconfig | Read |
| |
get_tkc_kubeconfig | Read |
| |
get_harbor_info | Read |
| |
list_namespace_storage_usage | Read |
INLINECODE38� / create_tkc_cluster — defaults to dry_run=True, returns a YAML plan for review. Pass dry_run=False to apply.
INLINECODE42� — requires confirmed=True and rejects if TKC clusters still exist (prevents orphaned clusters).
INLINECODE44� — requires confirmed=True and checks for running workloads. Rejects if found unless force=True.
Full capability details and safety features: see �INLINECODE47
CLI Quick Reference
CODEBLOCK2
Full CLI reference with all flags and interactive creation: see �INLINECODE48
Troubleshooting
"VKS not compatible" error
Workload Management must be enabled in vCenter. Check: vCenter UI → Workload Management. Requires vSphere 8.x+ with Enterprise Plus or VCF license.
Namespace creation fails with "storage policy not found"
List available policies first: vmware-vks supervisor storage-policies. Policy names are case-sensitive.
TKC cluster stuck in "Creating" phase
Check Supervisor events in vCenter. Common causes: insufficient resources on ESXi hosts, network issues with NSX-T, or storage policy not available on target datastore.
Kubeconfig retrieval fails
Supervisor API endpoint must be reachable from the machine running vmware-vks. Check firewall rules for port 6443.
Scale operation has no effect
Verify the cluster is in "Running" phase before scaling. Clusters in "Creating" or "Updating" phase reject scale operations.
Delete namespace rejected unexpectedly
The namespace delete guard prevents deletion when TKC clusters exist inside. Delete all TKC clusters in the namespace first, then retry.
Prerequisites
- - vSphere 8.x+ with Workload Management enabled
- Enterprise Plus or VCF license
- NSX-T (recommended) or VDS + HAProxy networking
- Supervisor Cluster configured and running
Setup
CODEBLOCK3
All tools are automatically audited via vmware-policy. Audit logs: �INLINECODE50
Full setup guide, security details, and AI platform compatibility: see �INLINECODE51
Audit & Safety
All operations are automatically audited via vmware-policy (@vmware_tool decorator):
- - Every tool call logged to
~/.vmware/audit.db (SQLite, framework-agnostic) - Policy rules enforced via
~/.vmware/rules.yaml (deny rules, maintenance windows, risk levels) - Risk classification: each tool tagged as low/medium/high/critical
- View recent operations: �INLINECODE55
- View denied operations: �INLINECODE56
vmware-policy is automatically installed as a dependency — no manual setup needed.
License
MIT — github.com/zw008/VMware-VKS
VMware VKS
AI驱动的VMware vSphere with Tanzu (VKS)管理 — 20个MCP工具。
需要启用工作负载管理的vSphere 8.x+版本。
配套技能: vmware-aiops (VM生命周期管理), vmware-monitor (监控), vmware-storage (存储), vmware-nsx (NSX网络), vmware-nsx-security (DFW/防火墙), vmware-aria (指标/告警/容量), vmware-avi (AVI/ALB/AKO)。
| vmware-pilot (工作流编排) | vmware-policy (审计/策略)
该技能的功能
| 类别 | 能力 | 数量 |
|---|
| Supervisor | 兼容性检查、状态、存储策略 | 3 |
| 命名空间 |
列出、获取、创建(含配额)、更新、删除(含TKC保护)、VM类 | 6 |
|
TKC集群 | 列出、获取、版本、创建、扩缩容、升级、删除(含工作负载保护) | 7 |
|
访问 | Supervisor kubeconfig、TKC kubeconfig、Harbor仓库、存储使用量 | 4 |
快速安装
bash
uv tool install vmware-vks
vmware-vks doctor
何时使用该技能
- - 检查vSphere环境是否支持VKS/Tanzu
- 创建、更新或删除带有资源配额的Supervisor命名空间
- 部署、扩缩容、升级或删除TKC (TanzuKubernetesCluster)集群
- 获取Supervisor或TKC集群的kubeconfig
- 检查Harbor仓库信息或存储使用情况
使用配套技能处理:
- - VM生命周期管理、部署 → vmware-aiops
- 清单、健康状态、告警 → vmware-monitor
- iSCSI、vSAN、数据存储 → vmware-storage
- 负载均衡、AVI/ALB、AKO、Ingress → vmware-avi
相关技能 — 技能路由
| 用户意图 | 推荐技能 |
|---|
| 只读监控 | vmware-monitor |
| 存储:iSCSI、vSAN |
vmware-storage |
| VM生命周期管理、部署 |
vmware-aiops |
| Tanzu Kubernetes (vSphere 8.x+) |
vmware-vks ← 本技能 |
| NSX网络:分段、网关、NAT |
vmware-nsx |
| NSX安全:DFW规则、安全组 |
vmware-nsx-security |
| Aria Ops:指标、告警、容量规划 |
vmware-aria |
| 多步骤工作流(含审批) |
vmware-pilot |
| 负载均衡器、AVI、ALB、AKO、Ingress |
vmware-avi (uv tool install vmware-avi) |
| 审计日志查询 |
vmware-policy (vmware-audit CLI) |
常见工作流
部署新的TKC集群
- 1. 检查兼容性 → vmware-vks supervisor check --target prod
- 列出可用的K8s版本 → vmware-vks tkc versions -n dev
- 创建命名空间(如需要)→ vmware-vks namespace create dev --cluster domain-c1 --storage-policy vSAN --cpu 16000 --memory 32768 --apply
- 创建TKC集群 → vmware-vks tkc create dev-cluster -n dev --version v1.28.4+vmware.1 --control-plane 1 --workers 3 --vm-class best-effort-large --apply
- 获取kubeconfig → vmware-vks kubeconfig get dev-cluster -n dev
为负载测试扩缩容Worker节点
- 1. 检查当前状态 → vmware-vks tkc get dev-cluster -n dev
- 扩容 → vmware-vks tkc scale dev-cluster -n dev --workers 6
- 监控进度 → vmware-vks tkc get dev-cluster -n dev (观察阶段变化)
- 测试完成后缩容
命名空间资源管理
- 1. 列出命名空间 → vmware-vks namespace list
- 检查使用情况 → vmware-vks storage -n dev
- 更新配额 → vmware-vks namespace update dev --cpu 32000 --memory 65536
架构
用户(自然语言)
↓
AI代理(Claude Code / Goose / Cursor)
↓ 读取 SKILL.md
↓
vmware-vks CLI ─── 或 ─── vmware-vks MCP服务器(stdio)
│
├─ 第一层:pyVmomi → vCenter REST API
│ Supervisor状态、存储策略、命名空间CRUD、VM类、Harbor
│
└─ 第二层:kubernetes客户端 → Supervisor K8s API端点
TKC CR 应用/获取/删除 (cluster.x-k8s.io/v1beta1)
从第一层会话令牌构建Kubeconfig
↓
vCenter Server 8.x+(已启用工作负载管理)
↓
Supervisor集群 → vSphere命名空间 → TanzuKubernetesCluster
使用模式
| 场景 | 推荐 | 原因 |
|---|
| 本地/小型模型(Ollama、Qwen) | CLI | 约2K tokens vs MCP约8K |
| 云端模型(Claude、GPT-4o) |
两者皆可 | MCP提供结构化JSON输入/输出 |
| 自动化流水线 |
MCP | 类型安全参数、结构化输出 |
MCP工具(20个 — 12个读取、8个写入)
所有工具均接受可选的 target 参数来指定命名的vCenter。
| 类别 | 工具 | 类型 |
|---|
| Supervisor | checkvkscompatibility | 读取 |
|
get
supervisorstatus | 读取 |
| | list
supervisorstorage_policies | 读取 |
|
命名空间 | list_namespaces | 读取 |
| | get_namespace | 读取 |
| | create_namespace | 写入 |
| | update_namespace | 写入 |
| | delete_namespace | 写入 |
| | list
vmclasses | 读取 |
|
TKC | list
tkcclusters | 读取 |
| | get
tkccluster | 读取 |
| | get
tkcavailable_versions | 读取 |
| | create
tkccluster | 写入 |
| | scale
tkccluster | 写入 |
| | upgrade
tkccluster | 写入 |
| | delete
tkccluster | 写入 |
|
访问 | get
supervisorkubeconfig | 读取 |
| | get
tkckubeconfig | 读取 |
| | get
harborinfo | 读取 |
| | list
namespacestorage_usage | 读取 |
createnamespace / createtkccluster — 默认 dryrun=True,返回YAML计划供审查。传递 dry_run=False 以应用。
delete_namespace — 需要 confirmed=True,如果TKC集群仍然存在则拒绝(防止孤立集群)。
deletetkccluster — 需要 confirmed=True 并检查正在运行的工作负载。如果发现则拒绝,除非传递 force=True。
完整功能详情和安全特性:参见 references/capabilities.md
CLI快速参考
bash
Supervisor
vmware-vks check [--target
]
vmware-vks supervisor status [--target ]
vmware-vks supervisor storage-policies [--target ]
命名空间
vmware-vks namespace list [--target ]
vmware-vks namespace get [--target ]
vmware-vks namespace create --cluster [--
