vmware-avi
Enables AKO (Avi Kubernetes Operator) operations on Kubernetes clusters, including pod status, logs, restart, Helm config, ingress diagnostics, sync diagnostics, and multi-cluster management.
Allows management of VMware AVI (NSX Advanced Load Balancer) controllers, including virtual services, pool members, SSL certificates, analytics, service engines, and AKO (Avi Kubernetes Operator) operations.
VMware AVI
Author: Wei Zhou, VMware by Broadcom — wei-wz.zhou@broadcom.com This is a community-driven project by a VMware engineer, not an official VMware product. For official VMware developer tools see developer.broadcom.com.
English | 中文
AVI (NSX Advanced Load Balancer) management and AKO Kubernetes operations tool — 29 tools across 10 categories.
Dual mode: Traditional AVI Controller management + AKO K8s operations in one skill.
Companion skills handle everything else:
Skill
Scope
Install
VM lifecycle, deployment, guest ops, cluster
uv tool install vmware-aiopsRead-only: inventory, health, alarms, events
uv tool install vmware-monitorDatastores, iSCSI, vSAN management
uv tool install vmware-storageTanzu Namespaces, TKC cluster lifecycle
uv tool install vmware-vksNSX networking: segments, gateways, NAT
uv tool install vmware-nsx-mgmtDFW firewall rules, security groups
uv tool install vmware-nsx-securityAria Ops: metrics, alerts, capacity
uv tool install vmware-aria
Quick Install
# Via uv (recommended)
uv tool install vmware-avi
# Or via pip
pip install vmware-avi
# China mainland mirror
pip install vmware-avi -i https://pypi.tuna.tsinghua.edu.cn/simple
# Verify installation
vmware-avi doctorCapabilities Overview
What This Skill Does
Category | Tools | Count |
Virtual Service | list, status, enable/disable | 3 |
Pool Member | list, enable/disable member (drain/restore traffic) | 3 |
SSL Certificate | list, expiry check | 2 |
Analytics | VS metrics overview, request error logs | 2 |
Service Engine | list, health check | 2 |
AKO Pod Ops | status, logs, restart, version info | 4 |
AKO Config | values.yaml view, Helm diff, Helm upgrade | 3 |
Ingress Diagnostics | annotation validation, VS mapping, error diagnosis, fix recommendation | 4 |
Sync Diagnostics | K8s-Controller comparison, inconsistency list, force resync | 3 |
Multi-cluster | cluster list, cross-cluster AKO overview, AMKO status | 3 |
CLI vs MCP: Which Mode to Use
Scenario | Recommended | Why |
Local/small models (Ollama, Qwen) | CLI | ~2K tokens vs ~8K for MCP |
Cloud models (Claude, GPT-4o) | Either | MCP gives structured JSON I/O |
Automated pipelines | MCP | Type-safe parameters, structured output |
AKO troubleshooting | CLI | Interactive log tailing, Helm diff output |
Rule of thumb: Use CLI for cost efficiency and small models. Use MCP for structured automation with large models.
Architecture
User (Natural Language)
|
AI CLI Tool (Claude Code / Gemini / Codex / Cursor / Trae)
| reads SKILL.md
|
vmware-avi CLI
|--- avisdk (AVI REST API) ---> AVI Controller ---> Virtual Services / Pools / SEs
|--- kubectl / kubernetes ---> K8s Cluster ---> AKO Pods / Ingress / ServicesConfiguration
Step 1: Create Config Directory
mkdir -p ~/.vmware-avi
vmware-avi init # generates config.yaml and .env templates
chmod 600 ~/.vmware-avi/.envStep 2: Edit config.yaml
controllers:
- name: prod-avi
host: avi-controller.example.com
username: admin
api_version: "22.1.4"
tenant: admin
port: 443
verify_ssl: true
default_controller: prod-avi
ako:
kubeconfig: ~/.kube/config
default_context: ""
namespace: avi-systemStep 3: Set Passwords
Create ~/.vmware-avi/.env:
# AVI Controller passwords
# Format: VMWARE_AVI_{CONTROLLER_NAME_UPPER}_PASSWORD
VMWARE_AVI_PROD_AVI_PASSWORD=your-password-herePassword environment variable naming convention:
VMWARE_AVI_{CONTROLLER_NAME_UPPER}_PASSWORD
# Replace hyphens with underscores, UPPERCASE
# Example: controller "prod-avi" -> VMWARE_AVI_PROD_AVI_PASSWORD
# Example: controller "staging-alb" -> VMWARE_AVI_STAGING_ALB_PASSWORDStep 4: Verify
vmware-avi doctor # checks Controller connectivity + kubeconfig + avisdkCLI Usage
Virtual Service Management
# List all virtual services
vmware-avi vs list [--controller prod-avi]
# Check status of a specific VS
vmware-avi vs status my-webapp-vs
# Enable / disable a VS (disable requires double confirmation)
vmware-avi vs enable my-webapp-vs
vmware-avi vs disable my-webapp-vsPool Member Drain / Restore
# List pool members and health status
vmware-avi pool members my-pool
# Graceful drain (disable) — double confirmation required
vmware-avi pool disable my-pool 10.1.1.5
# Restore traffic (enable)
vmware-avi pool enable my-pool 10.1.1.5SSL Certificate Expiry Check
# List all certificates
vmware-avi ssl list
# Check certificates expiring within 30 days
vmware-avi ssl expiry --days 30Analytics and Error Logs
# VS analytics: throughput, latency, error rates
vmware-avi analytics my-webapp-vs
# Request error logs
vmware-avi logs my-webapp-vs --since 1hService Engine Health
vmware-avi se list
vmware-avi se healthAKO Troubleshooting
# Check AKO pod status
vmware-avi ako status [--context my-k8s-context]
# View AKO logs
vmware-avi ako logs [--tail 100] [--since 30m]
# Restart AKO pod (double confirmation)
vmware-avi ako restart
# Show AKO version
vmware-avi ako versionAKO Helm Config Management
# View current AKO Helm values
vmware-avi ako config show
# Show pending changes (diff)
vmware-avi ako config diff
# Helm upgrade (double confirmation + --dry-run default)
vmware-avi ako config upgradeIngress Diagnostics
# Validate Ingress annotations
vmware-avi ako ingress check <namespace>
# Show Ingress-to-VS mapping
vmware-avi ako ingress map
# Diagnose why an Ingress has no VS
vmware-avi ako ingress diagnose <ingress-name>Sync Diagnostics
# Check K8s-Controller sync status
vmware-avi ako sync status
# Show inconsistencies between K8s and Controller
vmware-avi ako sync diff
# Force AKO resync (double confirmation)
vmware-avi ako sync forceMulti-cluster AKO
# List clusters with AKO deployed
vmware-avi ako clusters
# Cross-cluster AKO status overview
vmware-avi ako cluster-overview
# AMKO GSLB status
vmware-avi ako amko statusMCP Server
The MCP server exposes all 29 tools via the Model Context Protocol. Works with any MCP-compatible client.
After uv tool install vmware-avi, start the MCP server with one command (v1.5.15+):
# Recommended — single command, no network re-resolve
vmware-avi mcp
# With custom config path
VMWARE_AVI_CONFIG=/path/to/config.yaml vmware-avi mcpClaude Desktop Config
Add to claude_desktop_config.json:
{
"mcpServers": {
"vmware-avi": {
"command": "vmware-avi",
"args": ["mcp"],
"env": {
"VMWARE_AVI_CONFIG": "~/.vmware-avi/config.yaml"
}
}
}
}# Run without installing (requires PyPI access each launch)
uvx --from vmware-avi vmware-avi mcp
# Legacy entry point (still works, kept for backward compatibility)
vmware-avi-mcpBehind a corporate TLS proxy? uvx may fail with
invalid peer certificate: UnknownIssuer. Use the recommendedvmware-avi mcpform above (no network needed), or setUV_NATIVE_TLS=true.
MCP Tools (29)
Category | Tools |
Virtual Service (3) |
|
Pool Member (3) |
|
SSL Certificate (2) |
|
Analytics (2) |
|
Service Engine (2) |
|
AKO Pod (4) |
|
AKO Config (3) |
|
Ingress Diagnostics (4) |
|
Sync Diagnostics (3) |
|
Multi-cluster (3) |
|
Common Workflows
1. Maintenance Window -- Drain a Pool Member
When taking a backend server offline for patching:
List pool members and health status
vmware-avi pool members my-poolDisable the target server (graceful drain)
vmware-avi pool disable my-pool 10.1.1.5Monitor analytics to confirm active connections are draining
vmware-avi analytics my-vsPerform maintenance on the server
Re-enable the server
vmware-avi pool enable my-pool 10.1.1.5Verify health status is green
vmware-avi pool members my-pool
2. AKO Ingress Not Creating VS
When a developer reports their Ingress is not producing a Virtual Service:
Verify AKO is running
vmware-avi ako statusValidate Ingress annotations
vmware-avi ako ingress check <namespace>Check sync status between K8s and Controller
vmware-avi ako sync statusIf annotations are wrong, diagnose the specific Ingress
vmware-avi ako ingress diagnose <ingress-name>If sync drift is detected, review the diff and force resync if needed
vmware-avi ako sync diff vmware-avi ako sync force
3. SSL Certificate Expiry Audit
Expired certificates cause outages. Run periodic checks:
Check all certificates expiring within 30 days
vmware-avi ssl expiry --days 30Review which VS uses each expiring certificate (output includes VS mapping)
Plan renewal with the certificate team
After renewal, verify the new certificate is in place
vmware-avi ssl list
Troubleshooting
"Controller unreachable" error
Run
vmware-avi doctorto verify connectivityCheck if the controller address and port are correct in
~/.vmware-avi/config.yamlFor self-signed certs: set
verify_ssl: falsein config.yaml (lab environments only)
AKO Pod in CrashLoopBackOff
Check logs:
vmware-avi ako logs --tail 50Common causes: wrong controller IP in values.yaml, network policy blocking AKO to Controller, expired credentials
Fix config:
vmware-avi ako config showto inspect, then Helm upgrade with corrected values
Ingress created but no VS on Controller
Validate annotations:
vmware-avi ako ingress check <namespace>Check AKO logs for rejection reason:
vmware-avi ako logs --since 5mRun sync diff:
vmware-avi ako sync diffto see if the object is stuck
Pool member shows "down" after enable
Health monitor may still be failing. The member is enabled but unhealthy. Check the actual health status on the Controller side. Fix the backend service first, then the health status will auto-recover.
SSL expiry check shows 0 certificates
Verify the controller connection has tenant-level access. Certificates are tenant-scoped in AVI. The configured user may only see certs in their tenant.
AKO sync force has no effect
Force resync triggers AKO to re-reconcile all K8s objects. If the drift persists, the issue is likely in the K8s resource definition itself (bad annotation, missing secret). Use vmware-avi ako ingress diagnose to pinpoint the root cause.
Safety Features
Feature | Details |
Double Confirmation | Destructive ops (VS disable, pool member disable, AKO restart, Helm upgrade, force resync) require 2 sequential confirmations |
Dry-Run Default |
|
Audit Trail | All operations logged to |
Password Protection |
|
SSL Support |
|
Prompt Injection Protection | All API-sourced text truncated (500 chars max) and C0/C1 control characters stripped |
Input Validation | Pool names, VS names, IP addresses, and namespace names validated before API calls |
Security Details
Source Code: github.com/zw008/VMware-AVI
Config File Contents:
config.yamlstores controller addresses, usernames, and AKO settings. No passwords or tokens. All secrets stored exclusively in.envWebhook Data Scope: Disabled by default. No third-party data transmission
TLS Verification: Enabled by default. Disable only for self-signed certificate environments
Prompt Injection Protection:
_sanitize()truncation + control character cleanup on all AVI API responsesLeast Privilege: Use a dedicated AVI service account with minimal permissions. AKO operations require only namespace-scoped kubeconfig access
Companion Skills
Skill | Scope | Tools | Install |
AVI load balancer, AKO K8s operations | 29 |
| |
VM lifecycle, deployment, guest ops, cluster | 34 |
| |
Read-only monitoring, alarms, events | 7 |
| |
Datastores, iSCSI, vSAN | 11 |
| |
Tanzu Namespaces, TKC cluster lifecycle | 20 |
| |
NSX segments, gateways, NAT, routing | 32 |
| |
DFW firewall, security groups, IDS/IPS | 20 |
| |
Aria Ops: metrics, alerts, capacity | 27 |
|
Troubleshooting & Contributing
If you encounter any errors or issues, please send the error message, logs, or screenshots to zhouwei008@gmail.com. Contributions are welcome -- feel free to join us in maintaining and improving this project!
License
MIT
Maintenance
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zw008/VMware-AVI'
If you have feedback or need assistance with the MCP directory API, please join our Discord server