The Advanced VMware Cloud Foundation 9.0 vSphere Kubernetes Service (3V0-24.25)

VCF 9.0 distinguishes betweenbacking up the Supervisor control planeandbacking up workloadsthat run on the Supervisor, includingvSphere Pods. In the “Considerations for Backing Up and Restoring Workload Management” table, the scenario “Backup and restore vSphere Pods” explicitly lists the required tool as“Velero Plugin for vSphere”, with the guidance to “Install and configure the plug-in on the Supervisor.”

The same document is explicit thatstandalone Velero with Restic is not valid for vSphere Pods, stating: “You cannot use Velero standalone with Restic to backup and restore vSphere Pods. You must use the Velero Plugin for vSphere installed on the Supervisor.”

vCenter file-based backup is documented for restoring theSupervisor control plane state, not for backing up and restoring vSphere Pod workloads themselves. Therefore, to meet the requirement to protect third-party applications running asvSphere Pods, the architect should propose theVelero Plugin for vSphere.

VCF 9.0 describesCloud Native Storage (CNS) on vCenteras the component that implements “provisioning and lifecycle operations for persistent volumes.” When provisioning persistent volumes, CNS “interacts with the vSphere First Class Disk functionality to create virtual disks that back the volumes,” and it “communicates with Storage Policy Based Management to guarantee a required level of service to the disks.” This is exactly the storage-policy-to-backed-virtual-disk relationship the question is testing: storage policies (via policy-based management) define requirements, and CNS is the vCenter-side service that applies those requirements while creating and managing the backing storage objects.

In contrast,CSI(including Supervisor CNS-CSI and VKS pvCSI) is the Kubernetes-facing interface/driver used to request and consume storage, but it does not “provide” the vSphere storage policy system; rather, it relies on CNS/CNS-CSI and vCenter services to fulfill provisioning requests. Therefore,vSphere Cloud Native Storage (CNS)is the correct choice.

The VCF 9.0 documentation explicitly states that“the VKS exposes three layers of controllers to manage the lifecycle of a VKS cluster.”Those three controller layers map directly to the answer choices:

Cloud Provider Plug-in: VKS-provisioned clusters include components needed to integrate with vSphere Namespace resources, including aCloud Provider Plug-inthat integrates with the Supervisor and supports infrastructure-integrated functions (for example, passing persistent volume requests to the Supervisor which integrates with Cloud Native Storage).

Cluster API: The documentation describesCluster APIas providing declarative APIs for “cluster creation, configuration, and management,” including resources for the VMs and cluster add-ons.

Virtual Machine Service: TheVirtual Machine Serviceprovides declarative APIs to manage VMs and associated vSphere resources, and is used to manage the lifecycle of the control plane and worker node VMs that host a VKS cluster.

CNI and CSI are important cluster components, but the document distinguishes these from thethree controller layersresponsible for lifecycle management.

In Kubernetes terms,non-persistentpod data (for example, transient logs and scratch space) is handled byephemeral storage, meaning the data exists only for the lifetime of the pod/workload and is not meant to survive beyond it. In the VCF Workload Management documentation, this concept is described directly: a pod requiresephemeral storageto store transient Kubernetes objects such as “logs” and “emptyDir volumes,” and this ephemeral (transient) storage “lasts as long as the pod continues to exist,” disappearing when the pod reaches end of life.

While VKS clusters can also consumepersistent storagethrough storage classes and CSI integration for stateful needs, that is specifically for data that must be retained (persistent volumes/claims). The question asks specifically aboutnon-persistentpod data, which aligns with the documented ephemeral/transient storage behavior for pod runtime needs. Therefore, the correct choice isEphemeral storage.

In VMware Cloud Foundation 9.0 and vSphere Supervisor architectures, the decision to deploy aSingle-Zoneor aMulti-ZoneSupervisor is made at the time ofinitial enablement. A Single-Zone Supervisor is tied to a specific vSphere Cluster. A Multi-Zone Supervisor requires a minimum of three vSphere Zones (each mapped to a cluster) to be defined before the Supervisor is deployed so that the Control Plane VMs can be distributed for high availability.

Currently, there is no supported " in-place " migration path to convert a deployed Single-Zone Supervisor into a Multi-Zone Supervisor by simply adding zones later. If an organization requires the high availability provided by a three-zone architecture, the administrator must decommission the existing Single-Zone Supervisor and then re-enable the Supervisor Service using the Multi-Zone configuration wizard. This design ensures that the underlying Kubernetes Control Plane components are correctly instantiated with the necessary quorum and anti-affinity rules that can only be established during the initial " Workload Management " setup phase.

VCF 9.0 describes Supervisor networking with NSX as a model whereNSX provides network connectivity to Supervisor control plane VMs, services, and workloads, and where the Supervisor can use either the NSX Load Balancer or the Avi Load Balancer. In the NSX + Avi design, the documentation identifies theAvi Load Balancer Controlleras a core infrastructure element: the Controller “interacts with vCenter to automate the load balancing for the VKS clusters,” and is responsible for provisioning and coordinating Service Engines and exposing operational interfaces.

Also, the Supervisor itself is anchored by theSupervisor control plane virtual machines. VCF 9.0 explains you deploy the Supervisor with one or three control plane VMs, and in a three-zone Supervisor the control plane VMs are distributed across zones for high availability.

Finally, because the requirement explicitly calls for a unified networking/security model throughNSX, theNSX Manager virtual machineis foundational to the NSX-based Supervisor design, as shown in the documented architecture and component descriptions for NSX-backed Supervisor deployments.

VKS cluster lifecycle is managed using adeclarative API: you usekubectl with a YAML fileto specify the desired state of the cluster (for example: “how many nodes,” Kubernetes version, sizing, and storage). After the cluster is created, youupdate the YAMLto update the cluster. This is why the correct operational approach is to modify the cluster manifest (cluster.yaml) rather than deleting and redeploying.

Additionally, VKS uses multiple controller layers, whereCluster APIand theVirtual Machine Serviceare responsible for provisioning and managing the lifecycle of the control plane and worker node VMs that make up the VKS cluster. In other words, when you change the declared state for control plane sizing/replica count in the cluster YAML, the platform reconciles to that new state by adjusting the underlying control plane VMs through the supported controllers, instead of requiring disruptive “tear down and rebuild” operations.

So, editing the cluster.yaml to adjust the control plane replica count is the method that matches the documented VKS declarative operations model and controller-driven reconciliation.

The error shows an admission webhook denial wherevariable validation failedand multiple entries under spec.topology.variables[...] are reported as“variable is not defined”. That message indicates the manifest is supplying variables that arenot part of the current Cluster API / topology schemaenforced by the Supervisor during cluster creation. In VKS, cluster provisioning isdeclarative: you invoke the VKS API withkubectl + a YAML file, and “after the cluster is created, you update the YAML to update the cluster.” When the API/schema changes between releases, older manifests can contain fields/variables that are no longer recognized, and the admission webhook blocks them to prevent creating an invalid cluster spec.

This aligns with VMware’s broader direction that the olderTanzuKubernetesCluster (TKC) API was deprecatedand customers are encouraged to useCluster APIfor bootstrap/config/lifecycle management. In practice, to complete the upgrade/creation successfully, you must update the cluster manifest to match the supported schema:remove the deprecated/unknown topology variablesshown in the error (for example, the undefined storage-policy and trust variables) and re-apply the correctedworkload.yaml.

VCF 9.0 explicitly documents thatVKS supports two CNI options: Antrea and Calico, and that thesystem-defined default CNI is Antrea. This directly eliminates Flannel and Cilium as default supported options for VKS clusters on Supervisor in this context. VCF 9.0 also describes how a vSphere administrator can view or change this setting in the vSphere Client underSupervisor Management → Configure → Kubernetes Service → Default CNI, further reinforcing that Antrea is the baseline/default choice.

From a policy perspective in the question, the requirement is Kubernetes-layer observability and control of pod communications “without additional licensing or overlay complexity.” Antrea is presented in VCF 9.0 as the default CNI and is implemented usingOpen vSwitch, with networking and network policy capabilities provided at the Kubernetes layer for pods and services. Because it is the documented default (and supported) option for new VKS clusters, selectingAntreabest aligns with the “default supported option” requirement.