Skip to main content
Version: main 🚧

Nodes

Supported Configurations
Running the control plane as a container with:

By default, this is disabled by default. vCluster only displays nodes in the tenant cluster if the tenant cluster has synced pods to that worker node from the control plane cluster. If there are no more pods on a node, vCluster deletes the node. Without syncing the nodes, these nodes are considered pseudo nodes as the name is the only real value, and the rest of the nod information is randomly generated.

If you need specific node informatin, enabling to sync nodes from the control plane cluster will allow the real information from the node to be available from the tenant cluster context. In order to access node informatin, a cluster role is deployed onto the control plane cluster.

Node IP obfuscation

By default, vCluster obfuscates node IP addresses when syncing real nodes to protect sensitive information. Learn how to control node IP visibility for your use case.

Selecting a set of nodes​

By default, vCluster is able to schedule pods to any of the worker nodes in the control plane cluster, but you can isolate a tenant cluster to only use a set of specific nodes from the control plane cluster. There are multiple reasons why you may want to dedicate nodes to a tenant cluster including:

  • Restricting vCluster to nodes in a specific region.
  • Targeting nodes with a particular architecture.
  • Using only spot or preemptible instances.
  • Preventing vCluster workloads from running on critical infrastructure nodes.

Selecting nodes is based on a node label selector, where the nodes on the control plane cluster must have the matching labels.

Select a set of nodes without syncing node information​

If you don't want to sync node information, you can still select to use only a set of nodes from the control plane cluster.

Select dedicated nodes without syncing real node information
sync:
fromHost:
nodes:
# Do not sync real node information
enabled: false
# Select a set of nodes based on the node labels
selector:
labels:
environment: production
team: backend

Select a set of nodes and sync node information​

You can select a set of nodes from the control plane cluster while also requesting that the nodes sync with the real information from the control plane cluster.

Select dedicated nodes and syncing real node information
sync:
fromHost:
nodes:
# Sync real node information
enabled: true
# Select a set of nodes based on the node labels
selector:
labels:
environment: production
team: backend

Sync real nodes​

Sync nodes to the tenant cluster to view real node information. The tenant cluster will only display the host nodes that have a pod deployed onto it. By enabling this sync, a cluster role is deployed by the vCluster onto the control plane cluster.

Sync nodes for real node information
sync:
fromHost:
nodes:
enabled: true

Sync all real nodes​

When syncing nodes, only nodes that have pods deployed on them will show up in the tenant cluster, but you can sync all the nodes from the control plane cluster. When selecting all the nodes, kubectl get nodes will display all the host nodes whether or not a pod has been scheduled onto the control plane cluster.

Make all nodes visible to the tenant cluster
sync:
fromHost:
nodes:
enabled: true
selector:
all: true

Sync back labels and taints​

By default, when syncing nodes from the control plane cluster, labels, and taints are only synced from the control plane cluster to the tenant cluster. No changes from the tenant cluster context would be reflected on the host nodes.

Enabling syncBackChanges allows labels and taints set from the tenant cluster context to be synced to the host nodes. Additional permissions are added to the cluster role in order to edit the host nodes.

Sync labels and taints from the tenant cluster context to the host node
sync:
fromHost:
nodes:
enabled: true
syncBackChanges: true

Hide image information​

When multiple tenants are using the same set of host nodes, container image metadata could be used maliciously. For increased security, you can enable clearImageStatus to remove all status.images from the node object.

Clear Image Status on the Node
sync:
fromHost:
nodes:
enabled: true
clearImageStatus: true

Patches​

Use sync.fromHost.nodes.patches to transform node fields while syncing nodes from the control plane cluster to the tenant cluster. See Patching synced resources for syntax, directionality, and examples.

Config reference​

nodes object ​

Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean false ​

Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.

syncBackChanges boolean false ​

SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.

clearImageStatus boolean false ​

ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.

selector object ​

Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.

all boolean false ​

All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.

labels object {} ​

Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.