Skip to main content

Additional settings

The Additional Settings section provides supplementary configuration and operational guidance for managing the GV OVA deployment beyond the standard installation. You can refer to this section when performing post-deployment maintenance activities, such as including version upgrades, certificate rotation, and network troubleshooting, to ensure your Global View environment remains connected to the underlying infrastructure.

Upgrade the K3s Kubernetes version

Check the Current K3s Version and the node's health. To display the current Kubernetes version managed by K3s and the node's health, run the following commands in your terminal:

sudo k3s kubectl version
sudo k3s kubectl get nodes
sudo k3s kubectl get pods -n kube-system

Find the latest stable K3s version. To determine the latest stable K3s release available, run the following commands:

curl -s https://update.k3s.io/v1-release/channels | jq -r '.data[] | select(.id == "stable") | .latest'

Review the K3s release notes for version-specific considerations.

Take a Full VM Backup (Including Disk) in VMware

Important

Before any cluster upgrade, create a full backup of your VM, including all attached disks, using VMware vSphere or your preferred management tool.

In vSphere Web Client, right-click the VM > Snapshot > Take Snapshot. Enable Snapshot the virtual machine's memory and Quiesce guest file system for best protection.

Verify backup completion before proceeding.

Upgrade to the Target K3s Version. Replace <<K3s_VERSION>> below with the desired version string retrieved from Upgrade Strategy. The following command will upgrade K3s to that version with customized install options:

curl -sfL https://get.k3s.io | sudo INSTALL_K3S_VERSION="<<K3s_VERSION>>" INSTALL_K3S_EXEC="--flannel-backend=none --disable traefik --disable servicelb --write-kubeconfig-mode 644" sh -s -

Post-upgrade verification. To display the current Kubernetes version managed by K3s and the nodes' health, run:

sudo k3s kubectl version
sudo k3s kubectl get nodes
sudo k3s kubectl get pods -n kube-system

Manage K3s certificates

K3s relies on a set of TLS certificates to secure communication between the Kubernetes control plane, the kubelet, and cluster components. You can check the certificate validity, interpret expiration warnings, and manually rotate certificates when automatic renewal is not sufficient.

To check the expiration dates of your certificates, run the following command:

sudo k3s certificate check --output table

The following table provides the details that you must check for the relevant certificate:

Table 31.

Property

Details

Default validity

K3s server and client certificates are valid for 365 days (1 year) from their issuance date.

CA certificate validity

Typically valid for 10 years.

Alerts

Kubernetes event CertificateExpirationWarning when within 90 days of expiry.

Automatic renewal

K3s auto-renews expired certificates, or within 90 days of expiry, on every service restart.



You can manually rotate certificates using the K3s CLI with the following command:

sudo k3s certificate rotate
sudo systemctl restart k3s

KVM - VM Networking

KVM - VM Networking defines hosting of VMs on a KVM hypervisor to communicate with the underlying host, physical network, and external services. Understanding this networking model helps you correctly configure VM IP addresses, VLAN tagging, and DNS routing, as well as troubleshoot connectivity issues between the GV VM, its internal Kubernetes pods, and external services such as DNS, SMTP, or upstream APIs.

Host Linux bridge

The host Linux bridge acts as a software switch, connecting VM network interfaces directly to the host's physical NIC. This allows VMs to appear as first-class nodes on the physical network, enabling full Layer 2 connectivity without NAT.

The following diagram illustrates the traversal of network packets through the host’s physical NIC, VLAN interfaces, and bridges before reaching the VM, and how traffic originating from the VM flows back to the external network.

ASCII_view.png

Packet flow

  • Inside the VM, a packet leaves eth0 and hits the host's vnetX via a tap/virtual link.

  • vnetX is a port on Bridge-60 that forwards traffic into the bridge.

  • Bridge-60 routes external traffic out via its uplink enp7s0.60 (VLAN 60 sub-interface).

  • enp7s0.60 tags/untags VLAN 60 on the way to the physical NIC enp7s0, which puts bits on the wire.

DNS traffic flow

Understanding the DNS traffic path is important for troubleshooting name resolution issues, validating network connectivity, and ensuring that both the VM and its workloads (running on K3s) can reliably reach upstream DNS services through the configured bridge network.

VM-level DNS resolution path

Even though the VM subnet is 10.10.60.0/23, DNS servers at 10.10.2.6/7 are reachable through normal routing:

GV VM (10.10.60.101) -> vnet12 (tap) -> Bridge-60 -> enp7s0.60 -> physical switch/router -> DNS (10.10.2.6/7)
Return: 10.10.2.6 -> router -> VLAN 60 -> enp7s0.60 -> Bridge-60 -> vnet12 -> VM

So VM and host are both just regular nodes on 10.10.60.0/23 that can reach DNS at 10.10.2.6/7 through routing.

Pod-level DNS resolution path

Inside the GV VM running K3s (pod CIDR: 10.43.0.0/16, CoreDNS service: 10.43.0.10):

Pod (10.43.A.B) -> kube-proxy/iptables -> CoreDNS service (10.43.0.10) -> CoreDNS pod
-> GV VM kernel routing -> vnet12 -> Bridge-60 -> enp7s0.60 -> physical switch/router -> External DNS
Return: External DNS -> router -> VLAN 60 -> enp7s0.60 -> Bridge-60 -> vnet12 -> GV VM -> CoreDNS pod -> kube-proxy -> Pod

GV VM's first-class L2 connectivity via Bridge-60 ensures pod DNS requests reach the upstream network without additional NAT.

Libvirt default network (virbr0)

virbr0 uses NAT, so external systems cannot directly reach VMs unless port forwarding is configured. Use the host Linux bridge for production-like setups where VMs need routable IPs.

Table 32.

Property

Details

Type

libvirt-managed interface network.

Purpose

Isolated virtual network with built-in DHCP, DNS, and NAT.

Default IP range

192.168.122.0/24

External access

VM traffic is NATed through the host; external systems cannot directly reach VMs.

Best for

Testing, development, or temporary VMs only.



VM -> vnet -> virbr0 (DHCP + NAT) -> Host NIC -> Switch -> Internet

Unlike a host-managed bridge, virbr0 does not integrate VMs as full participants in the physical network. Instead, it keeps them in an isolated network environment.

This setup is useful for testing and development scenarios. However, it is not ideal for production environments, where VMs need routable IP addresses and full network visibility.

GV OVA Support and Operating Model

This section outlines the security baseline applied at image build time, the supported upgrade and patching strategies, and the operational responsibilities shared between you and Virtana. You can refer to this section to understand the boundaries of supported operations.

Security Baseline

GV OVA is delivered as a hardened, appliance-style VM with clearly defined ownership and support boundaries.

Operating system hardening

Built on Ubuntu Server 22.04 LTS with CIS benchmark hardening applied during image build. The following security assessment reports are available on request:

CIS Compliance

CIS (Center for Internet Security) Compliance ensures that the GV OVA's operating system is configured according to globally recognized security best practices. The compliance reports are available on request from Virtana Support, which you can use to satisfy your organization's audit or security review.

  • OSCAP (OpenSCAP) CIS compliance report

  • CIS benchmark alignment verified

  • Hardening applied at image build time

Vulnerability Assessment

Vulnerability Assessment verifies that the GV OVA is free from known security risks before being delivered to customers. You receive a pre-validated, security-reviewed appliance without needing to run your own vulnerability scans before deployment.

  • Lynis OS hardening assessment report

  • Nessus vulnerability scan report

  • Critical or High findings resolved before release

Access model

The Access Model defines your interaction with the GV OVA and clarifies the boundaries of supported operations.

  • SSH access is available only for bootstrapping and troubleshooting.

  • You are not expected to perform OS or Kubernetes modifications.

  • Privileged access is intended for Virtana-supported operations: troubleshooting, patching, and recovery.

  • Unauthorized changes can cause configuration drift and are outside our supported operating model.

Kubernetes security (K3s)

The GV OVA includes a K3s cluster fully managed by Virtana. You are not required to perform Kubernetes hardening or lifecycle operations.

The table below outlines the key properties and security features of the K3s Kubernetes distribution bundled with the GV OVA:

Table 33.

Property

Details

Certification

CNCF-certified Kubernetes distribution (originally by Rancher).

Production-ready

Designed for production in constrained environments.

Secure by default

Sensible security defaults appropriate for most use cases.

Certificate management

Automated certificate distribution and control plane setup that reduces misconfiguration risk.

CIS controls

Many CIS controls are met by default. Advanced hardening options exist, but are not required for this appliance model.



Upgrade and patch strategy

Virtana follows a structured approach that combines Helm-based application upgrades with coordinated vulnerability remediation, ensuring that you can keep your Global View deployment current and secure with minimal operational effort.

Application upgrade (Helm-based)

Application upgrades for the GV OVA are delivered through Helm, the standard package manager for Kubernetes, which simplifies version management and rollback.

  • The OVA is deployed once, for example, 2025.12.1.

  • For a new release, for example, 2026.1.1, an upgrade bundle is uploaded to Egnyte.

  • Customers can upgrade via SSH/SFTP (air-gapped) and run the deploy script, or perform a direct Helm upgrade if the internet is available.

Vulnerability remediation

You can identify and resolve across the GV OVA's lifecycle, both before and after deployment.

Table 34.

Phase

Actions

Pre-release

  • CIS hardening via Lynis and OSCAP,

  • Nessus scan,

  • Critical and High vulnerabilities fixed or documented.

Post-deployment

Vulnerabilities are addressed by coordinated patching or by remote access if RemoteWisdom is installed and enabled.



Operational responsibility matrix

The table below defines responsibilities between you and Virtana after deploying the GV OVA. Since the OVA is deployed in your environment, you may need to execute certain tasks. Virtana provides guidance, scripts, and support.

Table 35.

Area

Customer

Virtana

OVA deployment (import)

Tick_sym.png

Hypervisor/infrastructure

Tick_sym.png

VM power operations

Tick_sym.png

Initial configuration (input.env and install script)

Tick_sym.png

Guidance/support only

Application upgrades (communication and execution)

Tick_sym.png

Guidance/support only

OS hardening

Tick_sym.png

OS patching

Tick_sym.png

Kubernetes (k3s) lifecycle

Tick_sym.png

Backup configuration and execution

Tick_sym.png

Guidance/support only

Restore procedures

Tick_sym.png

Guidance/support only

Security vulnerability remediation

Tick_sym.png



Summary of responsibilities

This section outlines the shared operating model between the customer and Virtana, clearly defining who owns which tasks across the GV OVA lifecycle.

Customer responsibilities

These are the tasks that you, as the customer, are expected to perform.

  • Perform initial environment-specific configuration and run installation scripts.

  • Apply application upgrades and Helm chart updates as communicated by Virtana.

  • Configure and execute backups, and perform restores when necessary.

Virtana responsibilities

These are the tasks that Virtana owns and manages on your behalf.

  • Harden and patch the OS.

  • Manage the K3s lifecycle.

  • Maintain the application lifecycle (versioned Helm charts).

  • Provide guidance, scripts, and documentation for customer-executed tasks.

  • Remediate security vulnerabilities in the OS, Kubernetes, and application stack.

Shared responsibilities

These are tasks where both you and Virtana collaborate.

  • Backup configuration and restore processes are executed by the customer but supported by Virtana guidance.

  • Collaboration is expected for critical operations like recovery and troubleshooting.

Roadmap items

The following enhancements are planned and do not impact the current support model:

  • Signed OVA to verify authenticity and integrity.

  • Backup and restore to a new OVA appliance.

Support statement

GV OVA is supported as a managed, hardened virtual appliance. Operations outside the documented and supported workflows may impact supportability. For questions related to security posture, upgrades, or operations, contact Virtana Support.