Nodes
By default, this is disabled by default. vCluster only displays nodes in the tenant cluster if the tenant cluster has synced pods to that worker node from the control plane cluster. If there are no more pods on a node, vCluster deletes the node. Without syncing the nodes, these nodes are considered pseudo nodes as the name is the only real value, and the rest of the nod information is randomly generated.
If you need specific node informatin, enabling to sync nodes from the control plane cluster will allow the real information from the node to be available from the tenant cluster context. In order to access node informatin, a cluster role is deployed onto the control plane cluster.
By default, vCluster obfuscates node IP addresses when syncing real nodes to protect sensitive information. Learn how to control node IP visibility for your use case.
Selecting a set of nodes​
By default, vCluster is able to schedule pods to any of the worker nodes in the control plane cluster, but you can isolate a tenant cluster to only use a set of specific nodes from the control plane cluster. There are multiple reasons why you may want to dedicate nodes to a tenant cluster including:
- Restricting vCluster to nodes in a specific region.
- Targeting nodes with a particular architecture.
- Using only spot or preemptible instances.
- Preventing vCluster workloads from running on critical infrastructure nodes.
Selecting nodes is based on a node label selector, where the nodes on the control plane cluster must have the matching labels.
Select a set of nodes without syncing node information​
If you don't want to sync node information, you can still select to use only a set of nodes from the control plane cluster.
sync:
fromHost:
nodes:
# Do not sync real node information
enabled: false
# Select a set of nodes based on the node labels
selector:
labels:
environment: production
team: backend
Select a set of nodes and sync node information​
You can select a set of nodes from the control plane cluster while also requesting that the nodes sync with the real information from the control plane cluster.
sync:
fromHost:
nodes:
# Sync real node information
enabled: true
# Select a set of nodes based on the node labels
selector:
labels:
environment: production
team: backend
Sync real nodes​
Sync nodes to the tenant cluster to view real node information. The tenant cluster will only display the host nodes that have a pod deployed onto it. By enabling this sync, a cluster role is deployed by the vCluster onto the control plane cluster.
sync:
fromHost:
nodes:
enabled: true
Sync all real nodes​
When syncing nodes, only nodes that have pods deployed on them will show up in the tenant cluster, but you can
sync all the nodes from the control plane cluster. When selecting all the nodes, kubectl get nodes will display
all the host nodes whether or not a pod has been scheduled onto the control plane cluster.
sync:
fromHost:
nodes:
enabled: true
selector:
all: true
Sync back labels and taints​
By default, when syncing nodes from the control plane cluster, labels, and taints are only synced from the control plane cluster to the tenant cluster. No changes from the tenant cluster context would be reflected on the host nodes.
Enabling syncBackChanges allows labels and taints set from the tenant cluster context to be synced to the host nodes. Additional
permissions are added to the cluster role in order to edit the host nodes.
sync:
fromHost:
nodes:
enabled: true
syncBackChanges: true
Hide image information​
When multiple tenants are using the same set of host nodes, container image metadata could be used maliciously. For increased security,
you can enable clearImageStatus to remove all status.images from the node object.
sync:
fromHost:
nodes:
enabled: true
clearImageStatus: true
Patches​
Use sync.fromHost.nodes.patches to transform node fields while syncing nodes from the control plane cluster to the tenant cluster. See Patching synced resources for syntax, directionality, and examples.
Config reference​
nodes object ​
Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.
nodes object ​enabled boolean false ​
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
enabled boolean false ​syncBackChanges boolean false ​
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
syncBackChanges boolean false ​clearImageStatus boolean false ​
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
clearImageStatus boolean false ​selector object ​
Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.
selector object ​all boolean false ​
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
all boolean false ​labels object {} ​
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
labels object {} ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​