3V0-24.25 Advanced VMware Cloud Foundation 9.0 vSphere Kubernetes Service Question and Answers

VCF 9.0 distinguishes betweenbacking up the Supervisor control planeandbacking up workloadsthat run on the Supervisor, includingvSphere Pods. In the “Considerations for Backing Up and Restoring Workload Management” table, the scenario “Backup and restore vSphere Pods” explicitly lists the required tool as“Velero Plugin for vSphere”, with the guidance to “Install and configure the plug-in on the Supervisor.”

The same document is explicit thatstandalone Velero with Restic is not valid for vSphere Pods, stating: “You cannot use Velero standalone with Restic to backup and restore vSphere Pods. You must use the Velero Plugin for vSphere installed on the Supervisor.”

vCenter file-based backup is documented for restoring theSupervisor control plane state, not for backing up and restoring vSphere Pod workloads themselves. Therefore, to meet the requirement to protect third-party applications running asvSphere Pods, the architect should propose theVelero Plugin for vSphere.

In VCF 9.0, VKS cluster provisioning and lifecycle management is built around Kubernetes-native, declarative APIs. The VMware documentation describes thatCluster API provides declarative, Kubernetes-style APIs for cluster creation, configuration, and management, and that its inputs include the cluster definition plus the resources describing the virtual machines and “cluster add-ons.” This is why Cluster API is the component associated withprovisioning(creating and managing) workload clusters in the VKS model.

By contrast,cert-manageris typically used to automate certificate issuance/renewal for in-cluster components, andCarvelis a set of tools often used to package, configure, and install Kubernetes software, but neither is the core provisioning controller for creating the clusters themselves. The VCF documentation is explicit that Cluster API is the API layer responsible for cluster creation/configuration/management, making it the correct answer for provisioning VKS workload clusters (including those intended to run service mesh capabilities).

Kubernetes Service

When adding a Kubernetes cluster to anexisting vSphere Namespace, the workflow is initiated from within that namespace’s context in the vSphere Client. The administrator first opens the target namespace (as shown in the left navigation where the namespace is selected), then uses theKubernetes Servicearea to create and manage Kubernetes clusters associated with that namespace. In the namespaceSummaryview, theKubernetes Servicetile/card provides the entry point for cluster lifecycle actions, typically via an action link such asManage(and from thereCreate Cluster). This is because the Kubernetes cluster is anamespace-scoped resourcein the Supervisor environment: it inherits namespace-level policies and configuration such as permissions/RBAC, resource limits, storage policies, and networking selections that have already been defined for that namespace. Navigating to other areas likeStorageorNetworkis used to validate or adjust prerequisites (for example, storage policy availability or network settings), but the actual “create cluster” operation is launched fromKubernetes Servicewithin the namespace to ensure the cluster is created under the correct tenant boundary and governance model.

In Kubernetes, the component that actuallycreates and runs workloads on a nodeis thekubelet. The kubelet is the node agent that ensures the containers described by PodSpecs are running on that node. VCF 9.0 maps this concept directly into vSphere Supervisor by describingSphereletas “a kubelet that is ported natively to ESXi and allows the ESXi host to become part of the Kubernetes cluster,” showing that kubelet functionality is responsible for running workloads on worker nodes (ESXi hosts in the Supervisor case).

The other options have different roles:etcdis the control plane data store,API Serveris the front-end for Kubernetes API operations, and theSchedulerdecides placement (which node should run a pod). VCF 9.0 even calls out that “the Kubernetes scheduler… cannot place pods intelligently” without visibility into vCenter inventory—reinforcing that scheduling is about placement decisions, not the act of creating/running the workload on the node.

So, while the scheduler selects where a pod should run, thekubeletis the component responsible for actually instantiating and maintaining the workload on the target node.

A Global Namespace in a service-mesh-driven, multi-cluster design is fundamentally anorganizational and policy boundarythat lets platform teams treat multiple Kubernetes namespaces—across multiple clusters/regions—as one logical application domain. That is whyBis correct: it defines an application boundary spanning clusters, which is exactly what “GovApp” needs when its tiers are distributed across regions but must still behave as one application. It also explains whyAis correct: the value of a Global Namespace is that you can applyconsistent identity, security, and traffic policiesacross all member namespaces and clusters, rather than configuring them separately per cluster. This supports uniform mTLS/authorization posture, consistent service-to-service access rules, and standardized routing behaviors regardless of where a service instance runs.

The other options describe outcomes that may be enabled by additional service-mesh features, but they are not the corerequirementsthat define a Global Namespace: distributed ingress/egress is not guaranteed simply by the namespace construct, automatic workload placement is typically handled by schedulers/placement engines rather than the namespace boundary, and centralized logging is an observability capability outside the namespace requirement itself.

In Kubernetes terms,non-persistentpod data (for example, transient logs and scratch space) is handled byephemeral storage, meaning the data exists only for the lifetime of the pod/workload and is not meant to survive beyond it. In the VCF Workload Management documentation, this concept is described directly: a pod requiresephemeral storageto store transient Kubernetes objects such as “logs” and “emptyDir volumes,” and this ephemeral (transient) storage “lasts as long as the pod continues to exist,” disappearing when the pod reaches end of life.

While VKS clusters can also consumepersistent storagethrough storage classes and CSI integration for stateful needs, that is specifically for data that must be retained (persistent volumes/claims). The question asks specifically aboutnon-persistentpod data, which aligns with the documented ephemeral/transient storage behavior for pod runtime needs. Therefore, the correct choice isEphemeral storage.

Answer (Correct Order):

Run the install command:velero install … --provider aws --bucket … --plugins … --backup-location-config …

Apply BackupStorageLocation YAML.

Apply VolumeSnapshotLocation YAML.

Run test backup:velero backup create test-backup --include-namespaces "myapp1"

The correct sequence follows Velero’s operational model: install the Velero components first, then define where backups and snapshots are stored, and finally validate with a real backup. In VCF 9.0, the Velero Plugin for vSphere installation command includes parameters for the object-store provider, bucket, and plugin images, which establishes the Velero control plane in the target namespace and prepares it to communicate with an S3-compatible store.

After the installation is in place, you apply theBackupStorageLocationconfiguration so Velero has a durable destination for Kubernetes backup metadata in the object store. This aligns with the VCF 9.0 guidance that backups upload Kubernetes metadata to the object store and require S3-compatible storage for backup/restore workflows.

Next, apply theVolumeSnapshotLocationso Velero knows how and where to create/track volume snapshots for stateful workloads. The VCF 9.0 install example explicitly includes snapshot/backup location configuration parameters, reflecting that both must be set for complete protection.

Finally, run a test backup scoped to the namespace (--include-namespaces=my-namespace) to confirm end-to-end functionality.

In VMware Cloud Foundation 9.0 and vSphere Supervisor architectures, the decision to deploy aSingle-Zoneor aMulti-ZoneSupervisor is made at the time ofinitial enablement. A Single-Zone Supervisor is tied to a specific vSphere Cluster. A Multi-Zone Supervisor requires a minimum of three vSphere Zones (each mapped to a cluster) to be defined before the Supervisor is deployed so that the Control Plane VMs can be distributed for high availability.

Currently, there is no supported "in-place" migration path to convert a deployed Single-Zone Supervisor into a Multi-Zone Supervisor by simply adding zones later. If an organization requires the high availability provided by a three-zone architecture, the administrator must decommission the existing Single-Zone Supervisor and then re-enable the Supervisor Service using the Multi-Zone configuration wizard. This design ensures that the underlying Kubernetes Control Plane components are correctly instantiated with the necessary quorum and anti-affinity rules that can only be established during the initial "Workload Management" setup phase.

VCF 9.0 explicitly states: “The VKS exposes three layers of controllers to manage the lifecycle of a VKS cluster,” and then enumerates those layers. The first layer is the set of components that integrate the workload cluster with Supervisor-backed resources, including aCloud Provider Plug-inthat integrates with the Supervisor and enables infrastructure integrations such as persistent volume requests being passed to the Supervisor (which is integrated with Cloud Native Storage). The second layer isCluster API, described as providing “declarative, Kubernetes-style APIs for cluster creation, configuration, and management,” driven by resources that represent the cluster, the VMs making up the cluster, and cluster add-ons. The third layer is theVirtual Machine Service, which provides a declarative API for managing VMs and associated vSphere resources and is used to manage the lifecycle of the control plane and worker node VMs hosting a VKS cluster.

Therefore, optionAis the only answer that matches the three lifecycle controller layers defined in the VCF 9.0 documentation.

Amulti-zone Supervisorin VCF 9.0 is designed to deliverplatform resiliency and high availability at the vSphere cluster (zone) failure-domain level. The VCF 9.0 documentation states that a multi-zone Supervisor “leverages three vSphere clusters” (each mapped to a vSphere Zone) and that these zones are used by both “workloads and Supervisor management components to deliver high availability,” exposing “each cluster as an independent, consumable availability zone,” resulting in a “resilient, HA-capable platform.”

This is reinforced in the vSphere Zones guidance: deploying the Supervisor onthree vSphere Zones spreads the control plane VMs across three zones, providing “cluster-level high availability” that protects the Supervisor control plane against asingle cluster-level failure(one control plane VM per management zone).

Because VKS (vSphere Kubernetes Service) runs on Supervisor, distributing Supervisor control plane and workload placement across zones improves overall availability of Supervisor services and Kubernetes consumption in that Supervisor instance.

The error shows an admission webhook denial wherevariable validation failedand multiple entries under spec.topology.variables[...] are reported as“variable is not defined”. That message indicates the manifest is supplying variables that arenot part of the current Cluster API / topology schemaenforced by the Supervisor during cluster creation. In VKS, cluster provisioning isdeclarative: you invoke the VKS API withkubectl + a YAML file, and “after the cluster is created, you update the YAML to update the cluster.” When the API/schema changes between releases, older manifests can contain fields/variables that are no longer recognized, and the admission webhook blocks them to prevent creating an invalid cluster spec.

This aligns with VMware’s broader direction that the olderTanzuKubernetesCluster (TKC) API was deprecatedand customers are encouraged to useCluster APIfor bootstrap/config/lifecycle management. In practice, to complete the upgrade/creation successfully, you must update the cluster manifest to match the supported schema:remove the deprecated/unknown topology variablesshown in the error (for example, the undefined storage-policy and trust variables) and re-apply the correctedworkload.yaml.

When you build Kubernetes-aware policy constructs, “groups” are commonly used to collect objects so you can apply consistent controls (security posture, traffic rules, observability scope, etc.) to a set of endpoints. In VCF 9.0 documentation, the Kubernetes member types that can be used for group-based collection includeKubernetes NodeandKubernetes Serviceas supported member object categories. Nodes represent the worker compute endpoints that run workloads, while Services represent stable networking front-ends for sets of pods (and are often the anchoring object for policy and routing decisions at the Kubernetes layer). Using Node-based grouping helps apply policies to the infrastructure execution points where workloads run, and Service-based grouping helps apply policies consistently to application entry points and east-west communication targets, regardless of pod churn. This combination is especially useful in Kubernetes-centric operational models because it aligns policy scope with both (1) where workloads execute (nodes) and (2) how workloads are exposed and discovered (services).

In VCF 9.0 Workload Management, avSphere Namespaceis the construct that “sets the resource boundaries” for workloads running on a Supervisor, includingCPU, memory, and storage. The documentation explicitly states that a vSphere Namespace “sets the resource boundaries forCPU, memory, storage, and also the number of Kubernetes objects that can run within the namespace.” In the operational procedure “Set Resource Limits to a vSphere Namespace,” VMware further lists the configurable limits as:CPU(“set a limit to the CPU consumption”),Memory(“set a limit to the memory consumption”), andStorage(“set a limit on the storage consumption… per storage policy that is used”).

By contrast,Containersare not a namespace “resource limit” category; VMware documents “Container Defaults” separately (defaults for container CPU/memory requests and limits) rather than a top-level resource limit type. Similarly,Servicesare governed under “Object Limits” (how many Kubernetes objects like Services can exist), which is distinct from resource limits. Therefore, the three resource limitations defined on a vSphere Namespace areCPU, Memory, and Storage.

VCF 9.0 documentation explicitly indicates thatvCenter upgrades and the Supervisor/cluster (Workload Management) upgrade are distinct, noting that “if you have only upgraded vCenter and not the cluster” then DevOps engineers have reduced permissions until the cluster is upgraded. This supports the stated standard that VKS/Workload Management lifecycle can be treated separately from vCenter. For the private registry requirement, VCF 9.0 provides an operational mechanism to authenticate and pull artifacts from private registries: “Registry secrets allow package and repository consumers to authenticate to and pull images from private registries,” implemented via a standard Kubernetes Secret of type kubernetes.io/dockerconfigjson.

Taken together, the standard implies (1)asynchronoushandling (separate lifecycle from vCenter) and (2)privatesourcing (images pulled from an internal registry with registry secrets). Therefore, selectingAsynchronous Privatebest matches both requirements in a single configuration choice, aligning with the documented separation of upgrades and the documented need to use authenticated access to private registries.

VCF 9.0 defines VKS as an upstream Kubernetes offering that isbuilt for vSphereand delivered with “well-thought-out defaults” to reduce operational burden. It states VKS provides an“opinionated installation of Kubernetes”with defaults “optimized for vSphere,” which “reduce[s] the amount of time and effort” typically spent deploying and running an enterprise Kubernetes cluster—this directly supportssimplified management and operations (A).

VCF 9.0 also emphasizes VKS is“integrated with the vSphere infrastructure”(storage, networking, authentication) and is built on a Supervisor that maps to vSphere clusters, creating a “unified product experience.” This supportsconsistent Kubernetes deployment on vSphere (B)because clusters are provisioned and operated in a standardized, vSphere-native way.

Finally, VCF 9.0 states VKS clusters “use open source Linux-based” components from VMware by Broadcom and notes key integrations (for example, CNI options) are open source—supportingleveraging open-source technologies (D).

OptionsCandEare not VKS benefits as stated: VKS targets VKS-provisioned upstream Kubernetes clusters (not “any distribution”), and “pods directly on ESXi” is described asvSphere Pods(Workload Management), not a defining benefit of VKS clusters.