A Cloud Administrator is tasked with resolving a complex "Split-Brain" scenario in a Zonal Supervisor deployment following a storage outage in Zone-B.
Context:
The Supervisor spans Zone-A, Zone-B, and Zone-C. A storage array failure in Zone-B caused the Supervisor Control Plane VM in that zone to become isolated and read-only. The outage is now resolved, but the Supervisor status remains Warning. TKG clusters in Zone-B are unreachable.
Review the following diagnostic data from the Supervisor:
# kubectl get nodes -L topology.kubernetes.io/zone
NAME STATUS ROLES ZONE
42018c-supervisor-control-plane-0 Ready master Zone-A
42018c-supervisor-control-plane-1 NotReady master Zone-B
42018c-supervisor-control-plane-2 Ready master Zone-C
# kubectl get etcd -n kube-system
NAME STATUS HEALTH
etcd-0 Healthy true
etcd-1 Unhealthy false <-- Corresponds to Zone-B node
etcd-2 Healthy true
The administrator determines that the etcd member in Zone-B has diverged and cannot automatically rejoin the quorum.
What is the correct recovery procedure to restore full health to the Supervisor? (Choose 2.)

• A.Use the vSphere Client to put the Supervisor into "Maintenance Mode" and then "Exit Maintenance Mode" to trigger a full cluster reconciliation.
• B.Delete the NotReady Control Plane VM (42018c-supervisor-control-plane-1) from the vSphere Client inventory. The vSphere Cluster Service (vCLS) / EAM will detect the missing agent and automatically redeploy a fresh Control Plane VM, forcing etcd to resync from the healthy members.
• C.SSH into the healthy etcd-0 node and run etcdctl member remove to manually evict the failed member, then allow the Supervisor to self-heal.
• D.Restore the entire Supervisor Cluster from a Velero backup taken prior to the outage.
• E.Redeploy the Supervisor Control Plane VM using the kubectl delete node 42018c-supervisor-control- plane-1 command.

Comment: *

Name: *

Email: *

Verification: *

A Security Operations Analyst is reviewing the isolation boundaries for a multi-tenant financial application. The security policy mandates "Strong Isolation" where the container runtime must not share the host kernel directly, and the workload must be encapsulated in a distinct security boundary with a separate IP stack.
Review the following architectural options:
1. Containers running in a shared TKG Cluster (Docker/containerd runtime)
2. vSphere Pods running on the Supervisor
How does the vSphere Pod architecture meet this specific "Strong Isolation" requirement compared to standard containers in a VM? (Choose 2.)

• A.vSphere Pods wrap containers in a lightweight VM boundary, ensuring the workload interacts with a dedicated paravirtualized kernel (CRX) rather than the shared ESXi kernel.
• B.vSphere Pods share the Guest OS kernel of the Supervisor Control Plane VM, providing centralized security patching.
• C.vSphere Pods utilize NSX to provide a dedicated network stack and IP address per pod, avoiding port conflicts and shared networking namespaces common in node-sharing containers.
• D.vSphere Pods are deployed inside a TKG Node, inheriting the security context of the worker node VM.
• E.vSphere Pods run as bare-metal processes on ESXi, removing the hypervisor layer entirely for speed.

Comment: *

Name: *

Email: *

Verification: *

A VI Administrator attempts to upgrade the Supervisor Cluster but the option to upgrade is grayed out or unavailable in the vSphere Client, even though a new version is known to be available.
Which of the following are valid reasons for this state? (Select all that apply.)

• A.There are incompatible TKG clusters running on the Supervisor (e.g., a very old Kubernetes version that is deprecated in the target Supervisor release).
• B.The vCenter Server itself has not been upgraded to a version that supports the new Supervisor release. (The Supervisor version cannot exceed the managing vCenter's compatible version).
• C.The Supervisor Cluster is in a "Warning" or "Error" health state (e.g., invalid certificate, network partition).
• D.The ESXi hosts in the cluster are not running a compatible version (e.g., they are on an older build that doesn't support the new Spherelet).
• E.The "License Service" is down.

Comment: *

Name: *

Email: *

Verification: *

A Platform Engineer observes that a TKG cluster upgrade has failed with the status Condition:
Incompatible. The error message indicates that the VirtualMachineClass referenced in the cluster YAML (guaranteed-large-v1) is no longer available in the namespace.
The administrator realizes that the guaranteed-large-v1 class was recently removed from the Namespace configuration in favor of guaranteed-large-v2.
How should the engineer recover the cluster and complete the upgrade? (Select all that apply.)

• A.Once the manifest is updated to guaranteed-large-v2, the Supervisor will trigger a rolling update to replace the nodes with the new class (and new version if specified).
• B.Add the guaranteed-large-v1 class back to the Namespace in the vSphere Client to satisfy the current state requirements, allowing the controller to reconcile the current state before moving to the new state.
• C.The cluster must be deleted and recreated because the VM Class is immutable once provisioned.
• D.Edit the TanzuKubernetesCluster manifest to update the vmClass field to guaranteed-large-v2 for the node pools.
• E.Manually rename the VM Class in vCenter from guaranteed-large-v2 to guaranteed-large-v1.

Comment: *

Name: *

Email: *

Verification: *

A Security Architect is configuring the External DNS Supervisor Service to automatically manage DNS records for TKG workloads.
The environment uses Infoblox.
Which piece of information is critical to provide in the external-dns configuration (Values YAML) to allow it to securely update the DNS server?

• A.A Kubernetes Secret name containing the Infoblox credentials (Username/Password) and the WAPI endpoint URL.
• B.The vCenter SSO administrator account.
• C.The root password of the Supervisor.
• D.The SSH key of the DNS server.

Comment: *

Name: *

Email: *

Verification: *