vcluster.yaml configuration
| Enterprise | ||||
|---|---|---|---|---|
| Available in these plans | Free | Dev | Prod | Scale |
| Auto Sleep | ||||
| Custom Resource Syncing | ||||
| Private Nodes | ||||
| Private Nodes Auto Nodes | ||||
| Private Nodes VPN | ||||
The vcluster.yaml configuration file defines how your tenant cluster operates and integrates with the control plane cluster. Use the vcluster.yaml file to configure vCluster. It allows you to override default settings by specifying resource sync rules, networking behavior, storage options, and authentication methods.
If you're familiar with Helm, you can use vcluster.yaml in the same way as a values.yaml file. All vCluster deployment methods are based on Helm, which ensures consistent behavior across environments.
The configuration file controls resource synchronization between the control plane cluster and the tenant cluster, network access methods, storage persistence, authentication settings, and external service integrations. You can apply most configurations during deployment or upgrades, though some settings like the data store must be configured during initial deployment.
To explore configuration options, review the vCluster chart values file for default settings and available parameters. The vCluster Helm chart also includes a JSON schema for validating vcluster.yaml. For more information on configuration structure, see What is vcluster.yaml?.
Deploy a tenant cluster​
Before you deploy, review the worker node deployment options to determine how the infrastructure of the tenant cluster will be configured.
Once you've chosen your deployment path, read the different ways to deploy:
Config reference​
controlPlane object ​
Configure vCluster's control plane components and deployment.
controlPlane object ​endpoint string ​
Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.
endpoint string ​distro object ​
Distro holds virtual cluster related distro options. A distro cannot be changed after vCluster is deployed.
distro object ​k8s object ​
K8S holds K8s relevant configuration.
k8s object ​enabled boolean false ​
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
enabled boolean false ​version string ​
Version is the Kubernetes version to use.
version string ​apiServer object ​
APIServer holds configuration specific to starting the api server.
apiServer object ​enabled boolean true ​
Enabled signals this container should be enabled.
enabled boolean true ​command string[] [] ​
Command is the command to start the distro binary. This will override the existing command.
command string[] [] ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs string[] [] ​controllerManager object ​
ControllerManager holds configuration specific to starting the controller manager.
controllerManager object ​enabled boolean true ​
Enabled signals this container should be enabled.
enabled boolean true ​command string[] [] ​
Command is the command to start the distro binary. This will override the existing command.
command string[] [] ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs string[] [] ​scheduler object ​
Scheduler holds configuration specific to starting the scheduler.
scheduler object ​enabled boolean false ​
Enabled signals this container should be enabled.
enabled boolean false ​command string[] [] ​
Command is the command to start the distro binary. This will override the existing command.
command string[] [] ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs string[] [] ​image object ​
Image is the distro image
image object ​registry string ghcr.io ​
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry string ghcr.io ​repository string loft-sh/kubernetes ​
Repository is the repository of the container image, e.g. my-repo/my-image
repository string loft-sh/kubernetes ​tag string v1.36.0 ​
Tag is the tag of the container image, and is the default version.
tag string v1.36.0 ​imagePullPolicy string ​
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy string ​env object[] [] ​
Env are extra environment variables to use for the main container and NOT the init container.
env object[] [] ​resources object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]] ​
Resources for the distro init container
resources object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]] ​securityContext object {} ​
Security options can be used for the distro init container
securityContext object {} ​standalone object ​
Standalone holds configuration for standalone mode. Standalone mode is set automatically when no container is detected and
also implies privateNodes.enabled.
standalone object ​enabled boolean ​
Enabled defines if standalone mode should be enabled.
enabled boolean ​dataDir string /var/lib/vcluster ​
DataDir defines the data directory for the standalone mode.
dataDir string /var/lib/vcluster ​autoNodes object ​
AutoNodes automatically deploys nodes for standalone mode.
autoNodes object ​provider string ​
Provider is the node provider of the nodes in this pool.
provider string ​quantity integer ​
Quantity is the number of nodes to deploy for standalone mode.
quantity integer ​nodeTypeSelector object[] ​
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector object[] ​property required string ​
Property is the property on the node type to select.
property required string ​operator string ​
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator string ​values string[] ​
Values is the list of values to use for comparison. This is mutually exclusive with value.
values string[] ​value string ​
Value is the value to use for comparison. This is mutually exclusive with values.
value string ​joinNode object ​
JoinNode holds configuration for the standalone control plane node.
joinNode object ​enabled boolean true ​
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
enabled boolean true ​preInstallCommands string[] ​
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
preInstallCommands string[] ​preJoinCommands string[] ​
PreJoinCommands are commands that will be executed before kubeadm join is executed.
preJoinCommands string[] ​postJoinCommands string[] ​
PostJoinCommands are commands that will be executed after kubeadm join is executed.
postJoinCommands string[] ​containerd object ​
Containerd holds configuration for the containerd join process.
containerd object ​enabled boolean true ​
Enabled defines if containerd should be installed and configured by vCluster.
enabled boolean true ​registry object ​
Registry holds configuration for how containerd should be configured to use a registries.
registry object ​configPath string ​
ConfigPath is the path to the containerd registry config.
configPath string ​mirrors {key: object} ​
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
mirrors {key: object} ​server string ​
Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
server string ​caCert string[] ​
CACert are paths to CA certificates to use for the containerd registry mirror.
caCert string[] ​skipVerify boolean ​
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify boolean ​capabilities string[] ​
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities string[] ​overridePath boolean ​
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath boolean ​hosts object[] ​
Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
hosts object[] ​server string ​
Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.
server string ​caCert string[] ​
CACert are paths to CA certificates to use for the containerd registry mirror host.
caCert string[] ​skipVerify boolean ​
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify boolean ​capabilities string[] ​
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities string[] ​overridePath boolean ​
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath boolean ​auth {key: object} ​
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
auth {key: object} ​username string ​
Username is the username for the containerd registry.
username string ​password string ​
Password is the password for the containerd registry.
password string ​identityToken string ​
IdentityToken is the token for the containerd registry.
identityToken string ​auth string ​
Auth is the auth config for the containerd registry.
auth string ​pauseImage string ​
PauseImage is the image for the pause container.
pauseImage string ​caCertPath string ​
CACertPath is the path to the SSL certificate authority used to
secure communications between node and control-plane.
Defaults to "/etc/kubernetes/pki/ca.crt".
caCertPath string ​skipPhases string[] ​
SkipPhases is a list of phases to skip during command execution.
The list of phases can be obtained with the "kubeadm join --help" command.
skipPhases string[] ​nodeRegistration object ​
NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.
nodeRegistration object ​criSocket string ​
CRI socket is the socket for the CRI.
criSocket string ​kubeletExtraArgs object[] ​
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap
Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
kubeletExtraArgs object[] ​name string ​
Name is the name of the argument.
name string ​value string ​
Value is the value of the argument.
value string ​taints object[] ​
Taints are additional taints to set for the kubelet.
taints object[] ​key string ​
Required. The taint key to be applied to a node.
key string ​value string ​
The taint value corresponding to the taint key.
value string ​effect string ​
Required. The effect of the taint on pods
that do not tolerate the taint.
Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
effect string ​ignorePreflightErrors string[] ​
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
Value 'all' ignores errors from all checks.
ignorePreflightErrors string[] ​imagePullPolicy string ​
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations.
The value of this field must be one of "Always", "IfNotPresent" or "Never".
If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
imagePullPolicy string ​backingStore object ​
BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.
backingStore object ​etcd object ​
Etcd defines that etcd should be used as the backend for the virtual cluster
etcd object ​embedded object ​
Embedded defines to use embedded etcd as a storage backend for the virtual cluster
embedded object ​enabled boolean false ​
Enabled defines if the embedded etcd should be used.
enabled boolean false ​migrateFromDeployedEtcd boolean false ​
MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.
migrateFromDeployedEtcd boolean false ​snapshotCount integer ​
SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.
snapshotCount integer ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the embedded etcd.
extraArgs string[] [] ​deploy object ​
Deploy defines to use an external etcd that is deployed by the helm chart
deploy object ​enabled boolean false ​
Enabled defines that an external etcd should be deployed.
enabled boolean false ​statefulSet object ​
StatefulSet holds options for the external etcd statefulSet.
statefulSet object ​enabled boolean true ​
Enabled defines if the statefulSet should be deployed
enabled boolean true ​enableServiceLinks boolean true ​
EnableServiceLinks for the StatefulSet pod
enableServiceLinks boolean true ​image object ​
Image is the image to use for the external etcd statefulSet
image object ​registry string registry.k8s.io ​
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry string registry.k8s.io ​repository string etcd ​
Repository is the repository of the container image, e.g. my-repo/my-image
repository string etcd ​tag string 3.6.8-0 ​
Tag is the tag of the container image, and is the default version.
tag string 3.6.8-0 ​imagePullPolicy string ​
ImagePullPolicy is the pull policy for the external etcd image
imagePullPolicy string ​env object[] [] ​
Env are extra environment variables
env object[] [] ​extraArgs string[] [] ​
ExtraArgs are appended to the etcd command.
extraArgs string[] [] ​resources object ​
Resources the etcd can consume
resources object ​limits object ​
Limits are resource limits for the container
limits object ​requests object map[cpu:20m memory:150Mi] ​
Requests are minimal resources that will be consumed by the container
requests object map[cpu:20m memory:150Mi] ​pods object ​
Pods defines extra metadata for the etcd pods.
pods object ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​highAvailability object ​
HighAvailability are high availability options
highAvailability object ​replicas integer 1 ​
Replicas are the amount of pods to use.
replicas integer 1 ​scheduling object ​
Scheduling options for the etcd pods.
scheduling object ​nodeSelector object {} ​
NodeSelector is the node selector to apply to the pod.
nodeSelector object {} ​affinity object {} ​
Affinity is the affinity to apply to the pod.
affinity object {} ​tolerations object[] [] ​
Tolerations are the tolerations to apply to the pod.
tolerations object[] [] ​priorityClassName string ​
PriorityClassName is the priority class name for the the pod.
priorityClassName string ​podManagementPolicy string Parallel ​
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy string Parallel ​topologySpreadConstraints object[] [] ​
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints object[] [] ​security object ​
Security options for the etcd pods.
security object ​podSecurityContext object {} ​
PodSecurityContext specifies security context options on the pod level.
podSecurityContext object {} ​containerSecurityContext object {} ​
ContainerSecurityContext specifies security context options on the container level.
containerSecurityContext object {} ​persistence object ​
Persistence options for the etcd pods.
persistence object ​volumeClaim object ​
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim object ​enabled boolean true ​
Enabled enables deploying a persistent volume claim.
enabled boolean true ​accessModes string[] [ReadWriteOnce] ​
AccessModes are the persistent volume claim access modes.
accessModes string[] [ReadWriteOnce] ​retentionPolicy string Retain ​
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy string Retain ​size string 5Gi ​
Size is the persistent volume claim storage size.
size string 5Gi ​storageClass string ​
StorageClass is the persistent volume claim storage class.
storageClass string ​volumeClaimTemplates object[] [] ​
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates object[] [] ​addVolumes object[] [] ​
AddVolumes defines extra volumes for the pod
addVolumes object[] [] ​addVolumeMounts object[] ​
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts object[] ​name string ​
This must match the Name of a Volume.
name string ​readOnly boolean ​
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly boolean ​mountPath string ​
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath string ​subPath string ​
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath string ​mountPropagation string ​
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation string ​subPathExpr string ​
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr string ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​database object ​
Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.
database object ​embedded object ​
Embedded defines that an embedded database (sqlite) should be used as the backend for the virtual cluster
embedded object ​enabled boolean false ​
Enabled defines if the database should be used.
enabled boolean false ​dataSource string ​
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
dataSource string ​identityProvider string ​
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security.
This is optional for the external database. Examples:
- aws: RDS IAM Authentication
identityProvider string ​keyFile string ​
KeyFile is the key file to use for the database. This is optional.
keyFile string ​certFile string ​
CertFile is the cert file to use for the database. This is optional.
certFile string ​caFile string ​
CaFile is the ca file to use for the database. This is optional.
caFile string ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to Kine.
extraArgs string[] [] ​external object ​
External defines that an external database should be used as the backend for the virtual cluster
external object ​enabled boolean false ​
Enabled defines if the database should be used.
enabled boolean false ​dataSource string ​
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
dataSource string ​identityProvider string ​
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security.
This is optional for the external database. Examples:
- aws: RDS IAM Authentication
identityProvider string ​keyFile string ​
KeyFile is the key file to use for the database. This is optional.
keyFile string ​certFile string ​
CertFile is the cert file to use for the database. This is optional.
certFile string ​caFile string ​
CaFile is the ca file to use for the database. This is optional.
caFile string ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to Kine.
extraArgs string[] [] ​connector string ​
Connector specifies a secret located in a connected vCluster Platform that contains database server connection information
to be used by Platform to create a database and database user for the vCluster.
and non-privileged user. A kine endpoint should be created using the database and user on Platform registration.
This is optional.
connector string ​coredns object ​
CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.
coredns object ​enabled boolean true ​
Enabled defines if coredns is enabled
enabled boolean true ​embedded boolean false ​
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
embedded boolean false ​security object ​
Security defines pod or container security context.
security object ​podSecurityContext object {} ​
PodSecurityContext specifies security context options on the pod level.
podSecurityContext object {} ​containerSecurityContext object {} ​
ContainerSecurityContext specifies security context options on the container level.
containerSecurityContext object {} ​service object ​
Service holds extra options for the coredns service deployed within the virtual cluster
service object ​spec object map[type:ClusterIP] ​
Spec holds extra options for the coredns service
spec object map[type:ClusterIP] ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​deployment object ​
Deployment holds extra options for the coredns deployment deployed within the virtual cluster
deployment object ​image string ​
Image is the coredns image to use
image string ​replicas integer 1 ​
Replicas is the amount of coredns pods to run.
replicas integer 1 ​nodeSelector object {} ​
NodeSelector is the node selector to use for coredns.
nodeSelector object {} ​affinity object {} ​
Affinity is the affinity to apply to the pod.
affinity object {} ​tolerations object[] [] ​
Tolerations are the tolerations to apply to the pod.
tolerations object[] [] ​resources object ​
Resources are the desired resources for coredns.
resources object ​limits object map[cpu:1000m memory:170Mi] ​
Limits are resource limits for the container
limits object map[cpu:1000m memory:170Mi] ​requests object map[cpu:20m memory:64Mi] ​
Requests are minimal resources that will be consumed by the container
requests object map[cpu:20m memory:64Mi] ​pods object ​
Pods is additional metadata for the coredns pods.
pods object ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​topologySpreadConstraints object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]] ​
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
topologySpreadConstraints object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]] ​overwriteConfig string ​
OverwriteConfig can be used to overwrite the coredns config
overwriteConfig string ​overwriteManifests string ​
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
overwriteManifests string ​priorityClassName string ​
PriorityClassName specifies the priority class name for the CoreDNS pods.
priorityClassName string ​proxy object ​
Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.
proxy object ​bindAddress string 0.0.0.0 ​
BindAddress under which vCluster will expose the proxy.
bindAddress string 0.0.0.0 ​port integer 8443 ​
Port under which vCluster will expose the proxy. Changing port is currently not supported.
port integer 8443 ​extraSANs string[] [] ​
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
extraSANs string[] [] ​hostPathMapper object ​
HostPathMapper defines if vCluster should rewrite host paths.
hostPathMapper object ​enabled boolean ​
Enabled specifies if the host path mapper will be used
enabled boolean ​central boolean ​
Central specifies if the central host path mapper will be used
central boolean ​ingress object ​
Ingress defines options for vCluster ingress deployed by Helm.
ingress object ​enabled boolean false ​
Enabled defines if the control plane ingress should be enabled
enabled boolean false ​host string my-host.com ​
Host is the host where vCluster will be reachable
host string my-host.com ​pathType string ImplementationSpecific ​
PathType is the path type of the ingress
pathType string ImplementationSpecific ​spec object map[tls:[]] ​
Spec allows you to configure extra ingress options.
spec object map[tls:[]] ​annotations object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true] ​
Annotations are extra annotations for this resource.
annotations object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true] ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​tlsRoute object ​
TLSRoute defines options for vCluster TLS route deployed by Helm.
tlsRoute object ​enabled boolean false ​
Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"
enabled boolean false ​apiVersion string gateway.networking.k8s.io/v1 ​
APIVersion is the version of the gateway api tls route.
apiVersion string gateway.networking.k8s.io/v1 ​host string my-host.com ​
Host is the host where vCluster will be reachable
host string my-host.com ​parentRefs object[] [] ​
ParentRefs are the parent references for the TLS route
parentRefs object[] [] ​spec object {} ​
Spec allows you to configure extra tls route options.
spec object {} ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​service object ​
Service defines options for vCluster service deployed by Helm.
service object ​enabled boolean true ​
Enabled defines if the control plane service should be enabled
enabled boolean true ​spec object map[type:ClusterIP] ​
Spec allows you to configure extra service options.
spec object map[type:ClusterIP] ​kubeletNodePort integer 0 ​
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
kubeletNodePort integer 0 ​httpsNodePort integer 0 ​
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
httpsNodePort integer 0 ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​statefulSet object ​
StatefulSet defines options for vCluster statefulSet deployed by Helm.
statefulSet object ​highAvailability object ​
HighAvailability holds options related to high availability.
highAvailability object ​replicas integer 1 ​
Replicas is the amount of replicas to use for the statefulSet.
replicas integer 1 ​leaseDuration integer 60 ​
LeaseDuration is the time to lease for the leader.
leaseDuration integer 60 ​renewDeadline integer 40 ​
RenewDeadline is the deadline to renew a lease for the leader.
renewDeadline integer 40 ​retryPeriod integer 15 ​
RetryPeriod is the time until a replica will retry to get a lease.
retryPeriod integer 15 ​resources object ​
Resources are the resource requests and limits for the statefulSet container.
resources object ​limits object map[ephemeral-storage:10Gi memory:4Gi] ​
Limits are resource limits for the container
limits object map[ephemeral-storage:10Gi memory:4Gi] ​requests object map[cpu:200m ephemeral-storage:1Gi memory:256Mi] ​
Requests are minimal resources that will be consumed by the container
requests object map[cpu:200m ephemeral-storage:1Gi memory:256Mi] ​scheduling object ​
Scheduling holds options related to scheduling.
scheduling object ​nodeSelector object {} ​
NodeSelector is the node selector to apply to the pod.
nodeSelector object {} ​affinity object {} ​
Affinity is the affinity to apply to the pod.
affinity object {} ​tolerations object[] [] ​
Tolerations are the tolerations to apply to the pod.
tolerations object[] [] ​priorityClassName string ​
PriorityClassName is the priority class name for the the pod.
priorityClassName string ​podManagementPolicy string Parallel ​
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy string Parallel ​topologySpreadConstraints object[] [] ​
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints object[] [] ​security object ​
Security defines pod or container security context.
security object ​podSecurityContext object {} ​
PodSecurityContext specifies security context options on the pod level.
podSecurityContext object {} ​containerSecurityContext object map[allowPrivilegeEscalation:false runAsGroup:0 runAsUser:0] ​
ContainerSecurityContext specifies security context options on the container level.
containerSecurityContext object map[allowPrivilegeEscalation:false runAsGroup:0 runAsUser:0] ​probes object ​
Probes enables or disables the main container probes.
probes object ​livenessProbe object ​
LivenessProbe specifies if the liveness probe for the container should be enabled
livenessProbe object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​failureThreshold integer 60 ​
Number of consecutive failures for the probe to be considered failed
failureThreshold integer 60 ​initialDelaySeconds integer 60 ​
Time (in seconds) to wait before starting the liveness probe
initialDelaySeconds integer 60 ​timeoutSeconds integer 3 ​
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds integer 3 ​periodSeconds integer 2 ​
Frequency (in seconds) to perform the probe
periodSeconds integer 2 ​readinessProbe object ​
ReadinessProbe specifies if the readiness probe for the container should be enabled
readinessProbe object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​failureThreshold integer 60 ​
Number of consecutive failures for the probe to be considered failed
failureThreshold integer 60 ​timeoutSeconds integer 3 ​
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds integer 3 ​periodSeconds integer 2 ​
Frequency (in seconds) to perform the probe
periodSeconds integer 2 ​startupProbe object ​
StartupProbe specifies if the startup probe for the container should be enabled
startupProbe object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​failureThreshold integer 300 ​
Number of consecutive failures allowed before failing the pod
failureThreshold integer 300 ​timeoutSeconds integer 3 ​
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds integer 3 ​periodSeconds integer 6 ​
Frequency (in seconds) to perform the probe
periodSeconds integer 6 ​persistence object ​
Persistence defines options around persistence for the statefulSet.
persistence object ​volumeClaim object ​
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim object ​enabled string|boolean auto ​
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine
based on the chosen distro and other options if this is required.
enabled string|boolean auto ​accessModes string[] [ReadWriteOnce] ​
AccessModes are the persistent volume claim access modes.
accessModes string[] [ReadWriteOnce] ​retentionPolicy string Retain ​
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy string Retain ​size string 5Gi ​
Size is the persistent volume claim storage size.
size string 5Gi ​storageClass string ​
StorageClass is the persistent volume claim storage class.
storageClass string ​volumeClaimTemplates object[] [] ​
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates object[] [] ​dataVolume object[] [] ​
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
dataVolume object[] [] ​binariesVolume object[] [map[emptyDir:map[] name:binaries]] ​
BinariesVolume defines a binaries volume that is used to retrieve
distro specific executables to be run by the syncer controller.
This volume doesn't need to be persistent.
binariesVolume object[] [map[emptyDir:map[] name:binaries]] ​addVolumes object[] [] ​
AddVolumes defines extra volumes for the pod
addVolumes object[] [] ​addVolumeMounts object[] ​
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts object[] ​name string ​
This must match the Name of a Volume.
name string ​readOnly boolean ​
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly boolean ​mountPath string ​
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath string ​subPath string ​
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath string ​mountPropagation string ​
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation string ​subPathExpr string ​
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr string ​enableServiceLinks boolean true ​
EnableServiceLinks for the StatefulSet pod
enableServiceLinks boolean true ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​pods object ​
Additional labels or annotations for the statefulSet pods.
pods object ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​image object ​
Image is the image for the controlPlane statefulSet container
It defaults to the vCluster pro repository that includes the optional pro modules that are turned off by default.
If you still want to use the pure OSS build, set the repository to 'loft-sh/vcluster-oss'.
image object ​registry string ghcr.io ​
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry string ghcr.io ​repository string loft-sh/vcluster-pro ​
Repository is the repository of the container image, e.g. my-repo/my-image
repository string loft-sh/vcluster-pro ​tag string ​
Tag is the tag of the container image, and is the default version.
tag string ​imagePullPolicy string ​
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy string ​workingDir string ​
WorkingDir specifies in what folder the main process should get started.
workingDir string ​command string[] [] ​
Command allows you to override the main command.
command string[] [] ​args string[] [] ​
Args allows you to override the main arguments.
args string[] [] ​env object[] [] ​
Env are additional environment variables for the statefulSet container.
env object[] [] ​dnsPolicy string ​
Set DNS policy for the pod.
dnsPolicy string ​dnsConfig object ​
Specifies the DNS parameters of a pod.
dnsConfig object ​nameservers string[] ​
A list of DNS name server IP addresses.
This will be appended to the base nameservers generated from DNSPolicy.
Duplicated nameservers will be removed.
nameservers string[] ​searches string[] ​
A list of DNS search domains for host-name lookup.
This will be appended to the base search paths generated from DNSPolicy.
Duplicated search paths will be removed.
searches string[] ​initContainers object[] [] ​
InitContainers are additional init containers for the statefulSet.
initContainers object[] [] ​sidecarContainers object[] [] ​
SidecarContainers are additional sidecar containers for the statefulSet.
sidecarContainers object[] [] ​hostAliases object[] ​
HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.
hostAliases object[] ​ip string ​
ip string ​hostnames string[] ​
hostnames string[] ​runtimeClassName string ​
RuntimeClassName is the runtime class to set for the statefulSet pods.
runtimeClassName string ​serviceMonitor object ​
ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.
serviceMonitor object ​enabled boolean false ​
Enabled configures if Helm should create the service monitor.
enabled boolean false ​labels object {} ​
Labels are the extra labels to add to the service monitor.
labels object {} ​annotations object {} ​
Annotations are the extra annotations to add to the service monitor.
annotations object {} ​advanced object ​
Advanced holds additional configuration for the vCluster control plane.
advanced object ​defaultImageRegistry string ​
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to
upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
defaultImageRegistry string ​virtualScheduler object ​
VirtualScheduler defines if a scheduler should be used within the virtual cluster or the scheduling decision for workloads will be made by the host cluster.
Deprecated: Use ControlPlane.Distro.K8S.Scheduler instead.
virtualScheduler object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​serviceAccount object ​
ServiceAccount specifies options for the vCluster control plane service account.
serviceAccount object ​enabled boolean true ​
Enabled specifies if the service account should get deployed.
enabled boolean true ​name string ​
Name specifies what name to use for the service account.
name string ​imagePullSecrets object[] ​
ImagePullSecrets defines extra image pull secrets for the service account.
imagePullSecrets object[] ​name string ​
Name of the image pull secret to use.
name string ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​workloadServiceAccount object ​
WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.
workloadServiceAccount object ​enabled boolean true ​
Enabled specifies if the service account for the workloads should get deployed.
enabled boolean true ​name string ​
Name specifies what name to use for the service account for the virtual cluster workloads.
name string ​imagePullSecrets object[] ​
ImagePullSecrets defines extra image pull secrets for the workload service account.
imagePullSecrets object[] ​name string ​
Name of the image pull secret to use.
name string ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​headlessService object ​
HeadlessService specifies options for the headless service used for the vCluster StatefulSet.
headlessService object ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​konnectivity object ​
Konnectivity holds dedicated konnectivity configuration. This is only available when privateNodes.enabled is true.
konnectivity object ​server object ​
Server holds configuration for the konnectivity server.
server object ​enabled boolean true ​
Enabled defines if the konnectivity server should be enabled.
enabled boolean true ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the konnectivity server.
extraArgs string[] [] ​agent object ​
Agent holds configuration for the konnectivity agent.
agent object ​enabled boolean true ​
Enabled defines if the konnectivity agent should be enabled.
enabled boolean true ​replicas integer 1 ​
Replicas is the number of replicas for the konnectivity agent.
replicas integer 1 ​image string ​
Image is the image for the konnectivity agent.
image string ​imagePullPolicy string ​
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy string ​nodeSelector object {} ​
NodeSelector is the node selector for the konnectivity agent.
nodeSelector object {} ​priorityClassName string ​
PriorityClassName is the priority class name for the konnectivity agent.
priorityClassName string ​tolerations object[] [] ​
Tolerations is the tolerations for the konnectivity agent.
tolerations object[] [] ​extraEnv object[] [] ​
ExtraEnv is the extra environment variables for the konnectivity agent.
extraEnv object[] [] ​extraArgs string[] [] ​
ExtraArgs are additional arguments to pass to the konnectivity agent.
extraArgs string[] [] ​registry object ​
Registry allows enabling an embedded docker image registry in vCluster. This is useful for air-gapped environments or when you don't have a public registry available to distribute images.
registry object ​enabled boolean false ​
Enabled defines if the embedded registry should be enabled.
enabled boolean false ​anonymousPull boolean true ​
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
anonymousPull boolean true ​config object {} ​
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
config object {} ​cloudControllerManager object ​
CloudControllerManager holds configuration for the embedded cloud controller manager. This is only available when private nodes are enabled.
The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
cloudControllerManager object ​enabled boolean true ​
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use
an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well
as the provider id for the node and other node metadata.
enabled boolean true ​globalMetadata object ​
GlobalMetadata is metadata that will be added to all resources deployed by Helm.
globalMetadata object ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​kubeVip object ​
KubeVip holds configuration for embedded kube-vip that announces the virtual cluster endpoint IP on layer 2.
kubeVip object ​enabled boolean false ​
Enabled defines if embedded kube-vip should be enabled.
enabled boolean false ​interface string ​
Interface is the network interface on which the VIP is announced.
interface string ​gateway string ​
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24).
This is used to configure policy-based routing for the VIP and must include the subnet prefix.
gateway string ​podDisruptionBudget object ​
PodDisruptionBudget limits how many pods of an application can be voluntarily disrupted at once
to ensure availability during maintenance or scaling operations.
podDisruptionBudget object ​enabled boolean false ​
Enabled defines if the pod disruption budget should be enabled.
enabled boolean false ​minAvailable object ​
MinAvailable describes the minimal number or percentage of available pods.
minAvailable object ​maxUnavailable object ​
MaxUnavailable describes the minimal number or percentage of unavailable pods.
maxUnavailable object ​unhealthyPodEvictionPolicy string ​
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction.
Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted
and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted
and can be evicted regardless of whether the criteria in a PDB is met.
unhealthyPodEvictionPolicy string ​logging object ​
Logging provides structured logging options
logging object ​encoding string console ​
Encoding specifies the format of vCluster logs, it can either be json or console.
encoding string console ​privateNodes object ​
PrivateNodes holds configuration for vCluster private nodes mode.
privateNodes object ​enabled boolean false ​
Enabled defines if dedicated nodes should be enabled.
enabled boolean false ​kubelet object ​
Kubelet holds kubelet configuration that is used for all nodes.
kubelet object ​config object {} ​
Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here:
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
config object {} ​autoUpgrade object ​
AutoUpgrade holds configuration for auto upgrade.
autoUpgrade object ​enabled boolean true ​
Enabled defines if auto upgrade should be enabled.
enabled boolean true ​image string ​
Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.
image string ​imagePullPolicy string ​
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy string ​nodeSelector object ​
NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.
nodeSelector object ​binariesPath string ​
BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin
binariesPath string ​cniBinariesPath string ​
CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin
cniBinariesPath string ​concurrency integer 1 ​
Concurrency is the number of nodes that can be upgraded at the same time.
concurrency integer 1 ​podSecurityContext object {} ​
PodSecurityContext specifies security context options on the pod level for the upgrade pod.
podSecurityContext object {} ​containerSecurityContext object {} ​
ContainerSecurityContext specifies security context options on the container level for the upgrade container.
containerSecurityContext object {} ​joinNode object ​
JoinNode holds configuration specifically used during joining the node (see "kubeadm join").
joinNode object ​preInstallCommands string[] ​
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
preInstallCommands string[] ​preJoinCommands string[] ​
PreJoinCommands are commands that will be executed before kubeadm join is executed.
preJoinCommands string[] ​postJoinCommands string[] ​
PostJoinCommands are commands that will be executed after kubeadm join is executed.
postJoinCommands string[] ​containerd object ​
Containerd holds configuration for the containerd join process.
containerd object ​enabled boolean true ​
Enabled defines if containerd should be installed and configured by vCluster.
enabled boolean true ​registry object ​
Registry holds configuration for how containerd should be configured to use a registries.
registry object ​configPath string ​
ConfigPath is the path to the containerd registry config.
configPath string ​mirrors {key: object} ​
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
mirrors {key: object} ​server string ​
Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
server string ​caCert string[] ​
CACert are paths to CA certificates to use for the containerd registry mirror.
caCert string[] ​skipVerify boolean ​
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify boolean ​capabilities string[] ​
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities string[] ​overridePath boolean ​
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath boolean ​hosts object[] ​
Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
hosts object[] ​server string ​
Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.
server string ​caCert string[] ​
CACert are paths to CA certificates to use for the containerd registry mirror host.
caCert string[] ​skipVerify boolean ​
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify boolean ​capabilities string[] ​
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities string[] ​overridePath boolean ​
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath boolean ​auth {key: object} ​
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
auth {key: object} ​username string ​
Username is the username for the containerd registry.
username string ​password string ​
Password is the password for the containerd registry.
password string ​identityToken string ​
IdentityToken is the token for the containerd registry.
identityToken string ​auth string ​
Auth is the auth config for the containerd registry.
auth string ​pauseImage string ​
PauseImage is the image for the pause container.
pauseImage string ​caCertPath string ​
CACertPath is the path to the SSL certificate authority used to
secure communications between node and control-plane.
Defaults to "/etc/kubernetes/pki/ca.crt".
caCertPath string ​skipPhases string[] ​
SkipPhases is a list of phases to skip during command execution.
The list of phases can be obtained with the "kubeadm join --help" command.
skipPhases string[] ​nodeRegistration object ​
NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.
nodeRegistration object ​criSocket string ​
CRI socket is the socket for the CRI.
criSocket string ​kubeletExtraArgs object[] ​
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap
Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
kubeletExtraArgs object[] ​name string ​
Name is the name of the argument.
name string ​value string ​
Value is the value of the argument.
value string ​taints object[] ​
Taints are additional taints to set for the kubelet.
taints object[] ​key string ​
Required. The taint key to be applied to a node.
key string ​value string ​
The taint value corresponding to the taint key.
value string ​effect string ​
Required. The effect of the taint on pods
that do not tolerate the taint.
Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
effect string ​ignorePreflightErrors string[] ​
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
Value 'all' ignores errors from all checks.
ignorePreflightErrors string[] ​imagePullPolicy string ​
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations.
The value of this field must be one of "Always", "IfNotPresent" or "Never".
If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
imagePullPolicy string ​autoNodes object[] ​
AutoNodes stores auto nodes configuration.
autoNodes object[] ​provider required string ​
Provider is the node provider of the nodes in this pool.
provider required string ​properties object ​
Properties are the node provider properties. This is a simple key value map and can contain things
like region, subscription, etc. that is then used by the node provider to create the nodes and node environment.
properties object ​static object[] ​
Static defines static node pools. Static node pools have a fixed size and are not scaled automatically.
static object[] ​name required string ​
Name is the name of this static nodePool
name required string ​nodeTypeSelector object[] ​
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector object[] ​property required string ​
Property is the property on the node type to select.
property required string ​operator string ​
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator string ​values string[] ​
Values is the list of values to use for comparison. This is mutually exclusive with value.
values string[] ​value string ​
Value is the value to use for comparison. This is mutually exclusive with values.
value string ​taints object[] ​
Taints are the taints to apply to the nodes in this pool.
taints object[] ​key string ​
Required. The taint key to be applied to a node.
key string ​value string ​
The taint value corresponding to the taint key.
value string ​effect string ​
Required. The effect of the taint on pods
that do not tolerate the taint.
Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
effect string ​nodeLabels object ​
NodeLabels are the labels to apply to the nodes in this pool.
nodeLabels object ​terminationGracePeriod string ​
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.
When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.
If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,
that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.
Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
terminationGracePeriod string ​quantity required integer ​
Quantity is the number of desired nodes in this pool.
quantity required integer ​dynamic object[] ​
Dynamic defines dynamic node pools. Dynamic node pools are scaled automatically based on the requirements within the cluster.
Karpenter is used under the hood to handle the scheduling of the nodes.
dynamic object[] ​name required string ​
Name is the name of this NodePool
name required string ​nodeTypeSelector object[] ​
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector object[] ​property required string ​
Property is the property on the node type to select.
property required string ​operator string ​
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator string ​values string[] ​
Values is the list of values to use for comparison. This is mutually exclusive with value.
values string[] ​value string ​
Value is the value to use for comparison. This is mutually exclusive with values.
value string ​taints object[] ​
Taints are the taints to apply to the nodes in this pool.
taints object[] ​key string ​
Required. The taint key to be applied to a node.
key string ​value string ​
The taint value corresponding to the taint key.
value string ​effect string ​
Required. The effect of the taint on pods
that do not tolerate the taint.
Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
effect string ​nodeLabels object ​
NodeLabels are the labels to apply to the nodes in this pool.
nodeLabels object ​limits object ​
Limits specify the maximum resources that can be provisioned by this node pool,
mapping to the 'limits' field in Karpenter's NodePool API.
limits object ​disruption object ​
Disruption contains the parameters that relate to Karpenter's disruption logic
disruption object ​consolidateAfter string ​
ConsolidateAfter is the duration the controller will wait
before attempting to terminate nodes that are underutilized.
Refer to ConsolidationPolicy for how underutilization is considered.
consolidateAfter string ​consolidationPolicy string ​
ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation
algorithm. This policy defaults to "WhenEmptyOrUnderutilized" if not specified
consolidationPolicy string ​budgets object[] ​
Budgets is a list of Budgets.
If there are multiple active budgets, Karpenter uses
the most restrictive value. If left undefined,
this will default to one budget with a value to 10%.
budgets object[] ​nodes string ​
Nodes dictates the maximum number of NodeClaims owned by this NodePool
that can be terminating at once. This is calculated by counting nodes that
have a deletion timestamp set, or are actively being deleted by Karpenter.
This field is required when specifying a budget.
nodes string ​schedule string ​
Schedule specifies when a budget begins being active, following
the upstream cronjob syntax. If omitted, the budget is always active.
Timezones are not supported.
schedule string ​duration string ​
Duration determines how long a Budget is active since each Schedule hit.
Only minutes and hours are accepted, as cron does not work in seconds.
If omitted, the budget is always active.
This is required if Schedule is set.
duration string ​terminationGracePeriod string ​
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.
When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.
If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,
that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.
Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
terminationGracePeriod string ​expireAfter string ​
The amount of time a Node can live on the cluster before being removed
expireAfter string ​weight integer ​
Weight is the weight of this node pool.
weight integer ​vpn object ​
VPN holds configuration for the private nodes vpn. This can be used to connect the private nodes to the control plane or
connect the private nodes to each other if they are not running in the same network. Platform connection is required for the vpn to work.
vpn object ​enabled boolean false ​
Enabled defines if the private nodes vpn should be enabled.
enabled boolean false ​daemon object ​
Daemon holds configuration for the private nodes daemon that is deployed on the nodes.
daemon object ​enabled boolean false ​
Enabled defines if the private nodes daemon should be enabled.
enabled boolean false ​controlPlaneLoadBalancer object ​
ControlPlaneLoadBalancer holds configuration for the control plane load balancer. This is used to load balance the control plane traffic on the node to the control plane nodes.
This is useful to achieve true high availability for the control plane without having to deploy a separate load balancer.
controlPlaneLoadBalancer object ​enabled boolean false ​
Enabled defines if the control plane load balancer should be enabled. The control plane load balancer is used to load balance the control plane traffic on the node to the control plane nodes.
enabled boolean false ​kubeProxy boolean true ​
KubeProxy defines if the kube proxy should be proxied through the control plane load balancer as well.
kubeProxy boolean true ​port integer 11343 ​
Port defines the port for the control plane load balancer.
port integer 11343 ​exportKubeConfig object ​
ExportKubeConfig describes how vCluster should export the vCluster kubeConfig file.
exportKubeConfig object ​context string ​
Context is the name of the context within the generated kubeconfig to use.
context string ​server string ​
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server string ​insecure boolean false ​
If tls should get skipped for the server
insecure boolean false ​serviceAccount object ​
ServiceAccount can be used to generate a service account token instead of the default certificates.
serviceAccount object ​name string ​
Name of the service account to be used to generate a service account token instead of the default certificates.
name string ​namespace string ​
Namespace of the service account to be used to generate a service account token instead of the default certificates.
If omitted, will use the kube-system namespace.
namespace string ​clusterRole string ​
ClusterRole to assign to the service account.
clusterRole string ​secret object ​
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
If this is not defined, vCluster will create it with vc-NAME. If you specify another name,
vCluster creates the config in this other secret.
Deprecated: Use AdditionalSecrets instead.
secret object ​vc-NAME. If you specify another name,
vCluster creates the config in this other secret.name string ​
Name is the name of the secret where the kubeconfig should get stored.
name string ​namespace string ​
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace
where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace string ​additionalSecrets object[] ​
AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the
generated virtual cluster kubeconfigs.
additionalSecrets object[] ​context string ​
Context is the name of the context within the generated kubeconfig to use.
context string ​server string ​
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server string ​insecure boolean ​
If tls should get skipped for the server
insecure boolean ​serviceAccount object ​
ServiceAccount can be used to generate a service account token instead of the default certificates.
serviceAccount object ​name string ​
Name of the service account to be used to generate a service account token instead of the default certificates.
name string ​namespace string ​
Namespace of the service account to be used to generate a service account token instead of the default certificates.
If omitted, will use the kube-system namespace.
namespace string ​clusterRole string ​
ClusterRole to assign to the service account.
clusterRole string ​name string ​
Name is the name of the secret where the kubeconfig is stored.
name string ​namespace string ​
Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace
where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace string ​sync object ​
Sync describes how to sync resources from the virtual cluster to host cluster and back.
sync object ​toHost object ​
Configure resources to sync from the virtual cluster to the host cluster.
toHost object ​pods object ​
Pods defines if pods created within the virtual cluster should get synced to the host cluster.
pods object ​enabled boolean true ​
Enabled defines if pod syncing should be enabled.
enabled boolean true ​translateImage object {} ​
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite
a certain image that is used within the virtual cluster to be another image on the host cluster
translateImage object {} ​enforceTolerations string[] [] ​
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
enforceTolerations string[] [] ​useSecretsForSATokens boolean false ​
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a
pod annotation.
useSecretsForSATokens boolean false ​runtimeClassName string ​
RuntimeClassName is the runtime class to set for synced pods.
runtimeClassName string ​priorityClassName string ​
PriorityClassName is the priority class to set for synced pods.
priorityClassName string ​rewriteHosts object ​
RewriteHosts is a special option needed to rewrite statefulset containers to allow the correct FQDN. virtual cluster will add
a small container to each stateful set pod that will initially rewrite the /etc/hosts file to match the FQDN expected by
the virtual cluster.
rewriteHosts object ​enabled boolean true ​
Enabled specifies if rewriting stateful set pods should be enabled.
enabled boolean true ​initContainer object ​
InitContainer holds extra options for the init container used by vCluster to rewrite the FQDN for stateful set pods.
initContainer object ​image object ​
Image is the image virtual cluster should use to rewrite this FQDN.
image object ​registry string mirror.gcr.io ​
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry string mirror.gcr.io ​repository string library/alpine ​
Repository is the repository of the container image, e.g. my-repo/my-image
repository string library/alpine ​tag string 3.20 ​
Tag is the tag of the container image, and is the default version.
tag string 3.20 ​resources object ​
Resources are the resources that should be assigned to the init container for each stateful set init container.
resources object ​limits object map[cpu:30m memory:64Mi] ​
Limits are resource limits for the container
limits object map[cpu:30m memory:64Mi] ​requests object map[cpu:30m memory:64Mi] ​
Requests are minimal resources that will be consumed by the container
requests object map[cpu:30m memory:64Mi] ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​hybridScheduling object ​
HybridScheduling is used to enable and configure hybrid scheduling for pods in the virtual cluster.
hybridScheduling object ​enabled boolean false ​
Enabled specifies if hybrid scheduling is enabled.
enabled boolean false ​hostSchedulers string[] [] ​
HostSchedulers is a list of schedulers that are deployed on the host cluster.
hostSchedulers string[] [] ​secrets object ​
Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.
secrets object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​all boolean false ​
All defines if all resources of that type should get synced or only the necessary ones that are needed.
all boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​configMaps object ​
ConfigMaps defines if config maps created within the virtual cluster should get synced to the host cluster.
configMaps object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​all boolean false ​
All defines if all resources of that type should get synced or only the necessary ones that are needed.
all boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​ingresses object ​
Ingresses defines if ingresses created within the virtual cluster should get synced to the host cluster.
ingresses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​gatewayApi object ​
GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.
gatewayApi object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​httpRoutes object ​
HTTPRoutes configures HTTPRoute sync to the control plane cluster.
httpRoutes object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​gateways object ​
Gateways configures tenant-created Gateway sync to the control plane cluster.
gateways object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​tlsRoutes object ​
TLSRoutes configures TLSRoute sync to the control plane cluster.
tlsRoutes object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​backendTLSPolicies object ​
BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.
backendTLSPolicies object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​referenceGrants object ​
ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".
referenceGrants object ​enabled string|boolean auto ​
Enabled defines if this option should be enabled.
enabled string|boolean auto ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​services object ​
Services defines if services created within the virtual cluster should get synced to the host cluster.
services object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​endpoints object ​
Endpoints defines if endpoints created within the virtual cluster should get synced to the host cluster.
endpoints object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​endpointSlices object ​
EndpointSlices defines if endpointslices created within the virtual cluster should get synced to the host cluster.
endpointSlices object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​networkPolicies object ​
NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.
networkPolicies object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​persistentVolumeClaims object ​
PersistentVolumeClaims defines if persistent volume claims created within the virtual cluster should get synced to the host cluster.
persistentVolumeClaims object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​persistentVolumes object ​
PersistentVolumes defines if persistent volumes created within the virtual cluster should get synced to the host cluster.
persistentVolumes object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​volumeSnapshots object ​
VolumeSnapshots defines if volume snapshots created within the virtual cluster should get synced to the host cluster.
volumeSnapshots object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​volumeSnapshotContents object ​
VolumeSnapshotContents defines if volume snapshot contents created within the virtual cluster should get synced to the host cluster.
volumeSnapshotContents object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​storageClasses object ​
StorageClasses defines if storage classes created within the virtual cluster should get synced to the host cluster.
storageClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​serviceAccounts object ​
ServiceAccounts defines if service accounts created within the virtual cluster should get synced to the host cluster.
serviceAccounts object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​podDisruptionBudgets object ​
PodDisruptionBudgets defines if pod disruption budgets created within the virtual cluster should get synced to the host cluster.
podDisruptionBudgets object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​priorityClasses object ​
PriorityClasses defines if priority classes created within the virtual cluster should get synced to the host cluster.
priorityClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​customResources {key: object} ​
CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup.
vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.
customResources {key: object} ​enabled required boolean ​
Enabled defines if this option should be enabled.
enabled required boolean ​scope string ​
Scope defines the scope of the resource. If undefined, will use Namespaced. Currently only Namespaced is supported.
scope string ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​namespaces object ​
Namespaces defines if namespaces created within the virtual cluster should get synced to the host cluster.
namespaces object ​enabled required boolean false ​
Enabled defines if this option should be enabled.
enabled required boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​mappings object ​
Mappings for Namespace and Object
mappings object ​byName object ​
ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
- To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/": "foo-in-virtual/"
- To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName object ​mappingsOnly boolean false ​
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
mappingsOnly boolean false ​extraLabels object ​
ExtraLabels are additional labels to add to the namespace in the host cluster.
extraLabels object ​resourceClaims object ​
ResourceClaim defines if resource claims created within the virtual cluster should get synced to the host cluster.
resourceClaims object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​resourceClaimTemplates object ​
ResourceClaimTemplates defines if resourceClaimTemplates created within the virtual cluster should get synced to the host cluster.
resourceClaimTemplates object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​fromHost object ​
Configure what resources vCluster should sync from the host cluster to the virtual cluster.
fromHost object ​nodes object ​
Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.
nodes object ​enabled boolean false ​
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
enabled boolean false ​syncBackChanges boolean false ​
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
syncBackChanges boolean false ​clearImageStatus boolean false ​
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
clearImageStatus boolean false ​selector object ​
Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.
selector object ​all boolean false ​
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
all boolean false ​labels object {} ​
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
labels object {} ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​events object ​
Events defines if events should get synced from the host cluster to the virtual cluster, but not back.
events object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​ingressClasses object ​
IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.
ingressClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​gatewayClasses object ​
GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.
gatewayClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​gateways object ​
Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back.
gateways object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​selector object ​
Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.
selector object ​matchLabels object ​
matchLabels object ​mappings object ​
Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement.
mappings object ​byName object {} ​
ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
- To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/": "foo-in-virtual/"
- To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName object {} ​allowedRoutes object ​
AllowedRoutes configures the tenant-facing allowedRoutes policy shown on imported Gateways and enforced for Routes.
allowedRoutes object ​runtimeClasses object ​
RuntimeClasses defines if runtime classes should get synced from the host cluster to the virtual cluster, but not back.
runtimeClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​priorityClasses object ​
PriorityClasses defines if priority classes classes should get synced from the host cluster to the virtual cluster, but not back.
priorityClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​storageClasses object ​
StorageClasses defines if storage classes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
storageClasses object ​enabled string|boolean auto ​
Enabled defines if this option should be enabled.
enabled string|boolean auto ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​csiNodes object ​
CSINodes defines if csi nodes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiNodes object ​enabled string|boolean auto ​
Enabled defines if this option should be enabled.
enabled string|boolean auto ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​csiDrivers object ​
CSIDrivers defines if csi drivers should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiDrivers object ​enabled string|boolean auto ​
Enabled defines if this option should be enabled.
enabled string|boolean auto ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​csiStorageCapacities object ​
CSIStorageCapacities defines if csi storage capacities should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiStorageCapacities object ​enabled string|boolean auto ​
Enabled defines if this option should be enabled.
enabled string|boolean auto ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​customResources {key: object} ​
CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.
customResources {key: object} ​enabled required boolean ​
Enabled defines if this option should be enabled.
enabled required boolean ​scope required string ​
Scope defines the scope of the resource
scope required string ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​mappings object ​
Mappings for Namespace and Object
mappings object ​byName object ​
ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
- To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/": "foo-in-virtual/"
- To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName object ​volumeSnapshotClasses object ​
VolumeSnapshotClasses defines if volume snapshot classes created within the virtual cluster should get synced to the host cluster.
volumeSnapshotClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​configMaps object ​
ConfigMaps defines if config maps in the host should get synced to the virtual cluster.
configMaps object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​mappings object ​
Mappings for Namespace and Object
mappings object ​byName object {} ​
ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
- To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/": "foo-in-virtual/"
- To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName object {} ​secrets object ​
Secrets defines if secrets in the host should get synced to the virtual cluster.
secrets object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​mappings object ​
Mappings for Namespace and Object
mappings object ​byName object {} ​
ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name.
There are several wildcards supported:
- To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster:
byName:
"foo/": "foo-in-virtual/"
- To match a specific object in the control plane namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match a specific object in the control plane namespace and sync it to the same namespace with a different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName object {} ​deviceClasses object ​
DeviceClasses defines if device classes in the host should get synced to the virtual cluster
deviceClasses object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​patches object[] ​
Patches patch the resource according to the provided specification.
patches object[] ​path required string ​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string ​expression string ​
Expression transforms the value according to the given JavaScript expression.
expression string ​reverseExpression string ​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression string ​reference object ​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference object ​apiVersion required string ​
APIVersion is the apiVersion of the referenced object.
apiVersion required string ​apiVersionPath string ​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath string ​kind required string ​
Kind is the kind of the referenced object.
kind required string ​kindPath string ​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath string ​namePath string ​
NamePath is the optional relative path to the reference name within the object.
namePath string ​namespacePath string ​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath string ​labels object ​
Labels treats the path value as a labels selector.
labels object ​integrations object ​
Integrations holds config for vCluster integrations with other operators or tools running on the host cluster
integrations object ​metricsServer object ​
MetricsServer reuses the metrics server from the host cluster within the vCluster.
metricsServer object ​enabled boolean false ​
Enabled signals the metrics server integration should be enabled.
enabled boolean false ​apiService object ​
APIService holds information about where to find the metrics-server service. Defaults to metrics-server/kube-system.
apiService object ​nodes boolean true ​
Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.
nodes boolean true ​pods boolean true ​
Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
pods boolean true ​kubeVirt object ​
KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
kubeVirt object ​enabled boolean false ​
Enabled signals if the integration should be enabled
enabled boolean false ​apiService object ​
APIService holds information about where to find the virt-api service. Defaults to virt-api/kubevirt.
apiService object ​webhook object ​
Webhook holds configuration for enabling the webhook within the vCluster
webhook object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​sync object ​
Sync holds configuration on what resources to sync
sync object ​dataVolumes object ​
If DataVolumes should get synced
dataVolumes object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​virtualMachineInstanceMigrations object ​
If VirtualMachineInstanceMigrations should get synced
virtualMachineInstanceMigrations object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​virtualMachineInstances object ​
If VirtualMachineInstances should get synced
virtualMachineInstances object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​virtualMachines object ​
If VirtualMachines should get synced
virtualMachines object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​externalSecrets object ​
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.
- ExternalSecrets will be synced from the virtual cluster to the host cluster.
- SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
- ClusterSecretStores will be synced from the host cluster to the virtual cluster.
externalSecrets object ​enabled boolean false ​
Enabled defines whether the external secret integration is enabled or not
enabled boolean false ​version string ​
Version defines the version of the external secrets operator to use. If empty, the storage version will be used.
version string ​webhook object ​
Webhook defines whether the host webhooks are reused or not
webhook object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​sync object ​
Sync defines the syncing behavior for the integration
sync object ​toHost object ​
ToHost defines what resources are synced from the virtual cluster to the host
toHost object ​externalSecrets object ​
ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.
externalSecrets object ​fromHost object ​
FromHost defines what resources are synced from the host cluster to the virtual cluster
fromHost object ​certManager object ​
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.
- Certificates and Issuers will be synced from the virtual cluster to the host cluster.
- ClusterIssuers will be synced from the host cluster to the virtual cluster.
certManager object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​sync object ​
Sync contains advanced configuration for syncing cert-manager resources.
sync object ​toHost object ​
toHost object ​istio object ​
Istio syncs DestinationRules, Gateways and VirtualServices from virtual cluster to the host.
istio object ​enabled boolean false ​
Enabled defines if this option should be enabled.
enabled boolean false ​networking object ​
Networking options related to the virtual cluster.
networking object ​serviceCIDR string ​
ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.
serviceCIDR string ​podCIDR string 10.244.0.0/16 ​
PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.
podCIDR string 10.244.0.0/16 ​replicateServices object ​
ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.
replicateServices object ​toHost object[] ​
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are
synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace
are required.
toHost object[] ​from string ​
From is the service that should get synced. Can be either in the form name or namespace/name.
from string ​to string ​
To is the target service that it should get synced to. Can be either in the form name or namespace/name.
to string ​fromHost object[] ​
FromHost defines the services that should get synced from the host to the virtual cluster.
fromHost object[] ​from string ​
From is the service that should get synced. Can be either in the form name or namespace/name.
from string ​to string ​
To is the target service that it should get synced to. Can be either in the form name or namespace/name.
to string ​resolveDNS object[] ​
ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
resolveDNS object[] ​hostname string ​
Hostname is the hostname within the vCluster that should be resolved from.
hostname string ​service string ​
Service is the virtual cluster service that should be resolved from.
service string ​namespace string ​
Namespace is the virtual cluster namespace that should be resolved from.
namespace string ​target object ​
Target is the DNS target that should get mapped to
target object ​hostname string ​
Hostname to use as a DNS target
hostname string ​ip string ​
IP to use as a DNS target
ip string ​hostService string ​
HostService to target, format is hostNamespace/hostService
hostService string ​hostNamespace string ​
HostNamespace to target
hostNamespace string ​vClusterService string ​
VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService
vClusterService string ​advanced object ​
Advanced holds advanced network options.
advanced object ​clusterDomain string cluster.local ​
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
clusterDomain string cluster.local ​fallbackHostCluster boolean false ​
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without
any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
fallbackHostCluster boolean false ​proxyKubelets object ​
ProxyKubelets allows rewriting certain metrics and stats from the Kubelet to "fake" this for applications such as
prometheus or other node exporters.
proxyKubelets object ​byHostname boolean true ​
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work
for all applications, e.g. Prometheus requires a node IP.
byHostname boolean true ​byIP boolean true ​
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to
route traffic.
byIP boolean true ​policies object ​
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies object ​networkPolicy object ​
NetworkPolicy specifies network policy options.
networkPolicy object ​enabled boolean false ​
Enabled defines if the network policy should be deployed by vCluster.
enabled boolean false ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​fallbackDns string 8.8.8.8 ​
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
fallbackDns string 8.8.8.8 ​controlPlane object ​
ControlPlane network policy rules
controlPlane object ​ingress object[] ​
Ingress rules for the vCluster control plane.
ingress object[] ​ports object[] ​
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports object[] ​protocol string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol string ​port object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port object ​endPort integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort integer ​from object[] ​
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from object[] ​podSelector object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector object ​matchLabels object ​
matchLabels object ​namespaceSelector object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector object ​matchLabels object ​
matchLabels object ​ipBlock object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock object ​cidr string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr string ​except string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except string[] ​egress object[] ​
Egress rules for the vCluster control plane.
egress object[] ​ports object[] ​
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports object[] ​protocol string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol string ​port object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port object ​endPort integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort integer ​to object[] ​
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to object[] ​podSelector object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector object ​matchLabels object ​
matchLabels object ​namespaceSelector object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector object ​matchLabels object ​
matchLabels object ​ipBlock object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock object ​cidr string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr string ​except string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except string[] ​workload object ​
Workload network policy rules
workload object ​publicEgress object ​
PublicEgress holds the public outgoing connections options for the vCluster workloads.
publicEgress object ​enabled boolean true ​
Enabled defines if the workload public egress should be enabled or disabled.
enabled boolean true ​cidr string 0.0.0.0/0 ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr string 0.0.0.0/0 ​except string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ​ingress object[] ​
Ingress rules for the vCluster workloads.
ingress object[] ​ports object[] ​
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports object[] ​protocol string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol string ​port object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port object ​endPort integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort integer ​from object[] ​
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from object[] ​podSelector object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector object ​matchLabels object ​
matchLabels object ​namespaceSelector object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector object ​matchLabels object ​
matchLabels object ​ipBlock object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock object ​cidr string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr string ​except string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except string[] ​egress object[] ​
Egress rules for the vCluster workloads.
egress object[] ​ports object[] ​
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports object[] ​protocol string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol string ​port object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port object ​endPort integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort integer ​to object[] ​
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to object[] ​podSelector object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector object ​matchLabels object ​
matchLabels object ​namespaceSelector object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector object ​matchLabels object ​
matchLabels object ​ipBlock object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock object ​cidr string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr string ​except string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except string[] ​podSecurityStandard string ​
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard string ​resourceQuota object ​
ResourceQuota specifies resource quota options.
resourceQuota object ​enabled string|boolean auto ​
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled,
the resourceQuota will be enabled as well.
enabled string|boolean auto ​quota object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] ​
Quota are the quota options
quota object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] ​scopeSelector object map[matchExpressions:[]] ​
ScopeSelector is the resource quota scope selector
scopeSelector object map[matchExpressions:[]] ​scopes string[] [] ​
Scopes are the resource quota scopes
scopes string[] [] ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​limitRange object ​
LimitRange specifies limit range options.
limitRange object ​enabled string|boolean auto ​
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled,
the limitRange will be enabled as well.
enabled string|boolean auto ​default object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] ​
Default are the default limits for the limit range
default object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] ​defaultRequest object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] ​
DefaultRequest are the default request options for the limit range
defaultRequest object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] ​max object {} ​
Max are the max limits for the limit range
max object {} ​min object {} ​
Min are the min limits for the limit range
min object {} ​annotations object {} ​
Annotations are extra annotations for this resource.
annotations object {} ​labels object {} ​
Labels are extra labels for this resource.
labels object {} ​centralAdmission object ​
CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission object ​validatingWebhooks object[] ​
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
validatingWebhooks object[] ​kind string ​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind string ​apiVersion string ​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion string ​metadata object ​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata object ​name string ​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name string ​labels object ​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels object ​annotations object ​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations object ​webhooks object[] ​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks object[] ​name string ​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name string ​clientConfig object ​
ClientConfig defines how to communicate with the hook.
clientConfig object ​url string ​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url string ​scheme://host:port/path). Exactly one of url or service
must be specified.service object ​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service object ​service or url must be specified.service.namespace string ​
Namespace is the namespace of the service.
namespace string ​name string ​
Name is the name of the service.
name string ​path string ​
Path is an optional URL path which will be sent in any request to
this service.
path string ​port integer ​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port integer ​port should be a valid port number (1-65535, inclusive).caBundle string ​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle string ​rules object[] ​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules object[] ​failurePolicy string ​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy string ​matchPolicy string ​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy string ​namespaceSelector object ​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector object ​objectSelector object ​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector object ​sideEffects string ​
SideEffects states whether this webhook has side effects.
sideEffects string ​timeoutSeconds integer ​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds integer ​admissionReviewVersions string[] ​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions string[] ​AdmissionReview
versions the Webhook expects.matchConditions object[] ​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions object[] ​mutatingWebhooks object[] ​
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
mutatingWebhooks object[] ​kind string ​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind string ​apiVersion string ​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion string ​metadata object ​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata object ​name string ​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name string ​labels object ​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels object ​annotations object ​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations object ​webhooks object[] ​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks object[] ​reinvocationPolicy string ​
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
reinvocationPolicy string ​name string ​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name string ​clientConfig object ​
ClientConfig defines how to communicate with the hook.
clientConfig object ​url string ​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url string ​scheme://host:port/path). Exactly one of url or service
must be specified.service object ​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service object ​service or url must be specified.service.namespace string ​
Namespace is the namespace of the service.
namespace string ​name string ​
Name is the name of the service.
name string ​path string ​
Path is an optional URL path which will be sent in any request to
this service.
path string ​port integer ​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port integer ​port should be a valid port number (1-65535, inclusive).caBundle string ​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle string ​rules object[] ​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules object[] ​failurePolicy string ​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy string ​matchPolicy string ​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy string ​namespaceSelector object ​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector object ​objectSelector object ​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector object ​sideEffects string ​
SideEffects states whether this webhook has side effects.
sideEffects string ​timeoutSeconds integer ​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds integer ​admissionReviewVersions string[] ​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions string[] ​AdmissionReview
versions the Webhook expects.matchConditions object[] ​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions object[] ​rbac object ​
RBAC options for the virtual cluster.
rbac object ​role object ​
Role holds virtual cluster role configuration
role object ​enabled boolean true ​
Enabled defines if the role should be enabled or disabled.
enabled boolean true ​extraRules object[] [] ​
ExtraRules will add rules to the role.
extraRules object[] [] ​overwriteRules object[] [] ​
OverwriteRules will overwrite the role rules completely.
overwriteRules object[] [] ​clusterRole object ​
ClusterRole holds virtual cluster cluster role configuration
clusterRole object ​enabled string|boolean auto ​
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
enabled string|boolean auto ​extraRules object[] [] ​
ExtraRules will add rules to the cluster role.
extraRules object[] [] ​overwriteRules object[] [] ​
OverwriteRules will overwrite the cluster role rules completely.
overwriteRules object[] [] ​sleep object ​
Sleep holds configuration for automatically putting the virtual cluster to sleep.
sleep object ​auto object ​
Auto holds automatic sleep configuration
auto object ​afterInactivity string ​
AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep
afterInactivity string ​schedule string ​
Schedule represents a cron schedule for when to sleep workloads
schedule string ​exclude object ​
Exclude holds configuration for labels that, if present, will prevent a workload from going to sleep
exclude object ​wakeup object ​
Wakeup holds configuration for waking the vCluster on a schedule
wakeup object ​schedule string ​
schedule string ​timezone string ​
Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC.
Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation).
The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".
timezone string ​plugins {key: object} ​
Define which vCluster plugins to load.
plugins {key: object} ​name string ​
Name is the name of the init-container and NOT the plugin name
name string ​image string ​
Image is the container image that should be used for the plugin
image string ​imagePullPolicy string ​
ImagePullPolicy is the pull policy to use for the container image
imagePullPolicy string ​config object ​
Config is the plugin config to use. This can be arbitrary config used for the plugin.
config object ​rbac object ​
RBAC holds additional rbac configuration for the plugin
rbac object ​role object ​
Role holds extra virtual cluster role permissions for the plugin
role object ​extraRules object[] ​
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules object[] ​verbs string[] ​
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs string[] ​apiGroups string[] ​
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups string[] ​resources string[] ​
Resources is a list of resources this rule applies to. '*' represents all resources.
resources string[] ​resourceNames string[] ​
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames string[] ​nonResourceURLs string[] ​
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs string[] ​clusterRole object ​
ClusterRole holds extra virtual cluster cluster role permissions required for the plugin
clusterRole object ​extraRules object[] ​
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules object[] ​verbs string[] ​
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs string[] ​apiGroups string[] ​
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups string[] ​resources string[] ​
Resources is a list of resources this rule applies to. '*' represents all resources.
resources string[] ​resourceNames string[] ​
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames string[] ​nonResourceURLs string[] ​
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs string[] ​command string[] ​
Command is the command that should be used for the init container
command string[] ​args string[] ​
Args are the arguments that should be used for the init container
args string[] ​securityContext object ​
SecurityContext is the container security context used for the init container
securityContext object ​resources object ​
Resources are the container resources used for the init container
resources object ​volumeMounts object[] ​
VolumeMounts are extra volume mounts for the init container
volumeMounts object[] ​experimental object ​
Experimental features for vCluster. Configuration here might change, so be careful with this.
experimental object ​deploy object ​
Deploy allows you to configure manifests and Helm charts to deploy within the host or virtual cluster.
deploy object ​host object ​
Host defines what manifests to deploy into the host cluster
host object ​manifests string ​
Manifests are raw Kubernetes manifests that should get applied within the host cluster.
manifests string ​manifestsTemplate string ​
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.
manifestsTemplate string ​vcluster object ​
VCluster defines what manifests and charts to deploy into the vCluster
vcluster object ​manifests string ​
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
manifests string ​manifestsTemplate string ​
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
manifestsTemplate string ​helm object[] ​
Helm are Helm charts that should get deployed into the virtual cluster
helm object[] ​chart object ​
Chart defines what chart should get deployed.
chart object ​name string ​
name string ​repo string ​
repo string ​insecure boolean ​
insecure boolean ​version string ​
version string ​username string ​
username string ​password string ​
password string ​release object ​
Release defines what release should get deployed.
release object ​name string ​
Name of the release
name string ​namespace string ​
Namespace of the release
namespace string ​values string ​
Values defines what values should get used.
values string ​timeout string ​
Timeout defines the timeout for Helm
timeout string ​bundle string ​
Bundle allows to compress the Helm chart and specify this instead of an online chart
bundle string ​syncSettings object ​
SyncSettings are advanced settings for the syncer controller.
syncSettings object ​setOwner boolean true ​
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
setOwner boolean true ​hostMetricsBindAddress string ​
HostMetricsBindAddress is the bind address for the local manager
hostMetricsBindAddress string ​virtualMetricsBindAddress string ​
VirtualMetricsBindAddress is the bind address for the virtual manager
virtualMetricsBindAddress string ​virtualClusterKubeConfig object ​
VirtualClusterKubeConfig allows you to override distro specifics and specify where vCluster will find the required certificates and vCluster config.
Deprecated: Removed in 0.29.0.
virtualClusterKubeConfig object ​kubeConfig string ​
KubeConfig is the virtual cluster kubeconfig path.
kubeConfig string ​serverCAKey string ​
ServerCAKey is the server ca key path.
serverCAKey string ​serverCACert string ​
ServerCACert is the server ca cert path.
serverCACert string ​clientCACert string ​
ClientCACert is the client ca cert path.
clientCACert string ​clientCAKey string ​
ClientCAKey is the client ca key path.
clientCAKey string ​requestHeaderCACert string ​
RequestHeaderCACert is the request header ca cert path.
requestHeaderCACert string ​denyProxyRequests object[] ​
DenyProxyRequests denies certain requests in the vCluster proxy.
denyProxyRequests object[] ​name string ​
The name of the check.
name string ​namespaces string[] ​
Namespace describe a list of namespaces that will be affected by the check.
An empty list means that all namespaces will be affected.
In case of ClusterScoped rules, only the Namespace resource is affected.
namespaces string[] ​rules object[] ​
Rules describes on which verbs and on what resources/subresources the webhook is enforced.
The webhook is enforced if it matches any Rule.
The version of the request must match the rule version exactly. Equivalent matching is not supported.
rules object[] ​apiGroups string[] ​
APIGroups is the API groups the resources belong to. '*' is all groups.
apiGroups string[] ​apiVersions string[] ​
APIVersions is the API versions the resources belong to. '*' is all versions.
apiVersions string[] ​resources string[] ​
Resources is a list of resources this rule applies to.
resources string[] ​scope string ​
Scope specifies the scope of this rule.
scope string ​operations string[] ​
Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch.
For non-resource requests, this is the lowercase http verb.
If '*' is present, the length of the slice must be one.
operations string[] ​excludedUsers string[] ​
ExcludedUsers describe a list of users for which the checks will be skipped.
Impersonation attempts on these users will still be subjected to the checks.
excludedUsers string[] ​proxy object ​
Proxy enables vCluster-to-vCluster proxying of resources
proxy object ​customResources {key: object} ​
CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
customResources {key: object} ​enabled boolean ​
Enabled defines if this resource proxy should be enabled
enabled boolean ​targetVirtualCluster object ​
TargetVirtualCluster is the target virtual cluster for the custom resource proxy
targetVirtualCluster object ​name required string ​
Name is the name of the target virtual cluster.
name required string ​project string ​
Project is the project of the target virtual cluster. If empty, defaults to the same project as the source vCluster.
project string ​accessResources string ​
AccessResources defines which resources should be accessible in the proxy.
accessResources string ​docker object ​
Docker allows you to configure Docker related settings when deploying a vCluster using Docker.
docker object ​image string ​
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
image string ​ports string[] ​
Ports defines extra port mappings to be added to the container.
ports string[] ​volumes string[] ​
Volumes defines extra volumes to be added to the container.
volumes string[] ​env string[] ​
Env defines extra environment variables to be added to the container. Use key=value.
env string[] ​args string[] ​
Args defines extra arguments to be added to the docker run command of the container.
args string[] ​enabled boolean ​
Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.
enabled boolean ​network string ​
Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.
network string ​nodes object[] ​
Nodes defines the nodes of the vCluster.
nodes object[] ​image string ​
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
image string ​ports string[] ​
Ports defines extra port mappings to be added to the container.
ports string[] ​volumes string[] ​
Volumes defines extra volumes to be added to the container.
volumes string[] ​env string[] ​
Env defines extra environment variables to be added to the container. Use key=value.
env string[] ​args string[] ​
Args defines extra arguments to be added to the docker run command of the container.
args string[] ​name string ​
Name defines the name of the node. If not specified, a random name will be generated.
name string ​registryProxy object ​
Defines if docker images should be pulled from the host docker daemon. This prevents pulling images again and allows to
use purely local images. Only works if containerd image storage is used. For more information, see https://docs.docker.com/engine/storage/containerd
registryProxy object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​loadBalancer object ​
Defines if vCluster should configure load balancer services inside the vCluster. This might require
sudo access on the host cluster for docker desktop or rancher desktop on macos.
loadBalancer object ​enabled boolean true ​
Enabled defines if this option should be enabled.
enabled boolean true ​forwardPorts boolean true ​
ForwardPorts defines if the load balancer ips should be made available locally
via port forwarding. This will be only done if necessary for example on macos when using docker desktop.
forwardPorts boolean true ​nodeMonitors object[] ​
NodeMonitors allows you to create a service monitor for each node.
nodeMonitors object[] ​name string ​
Name is the name of the monitor. It will be suffixed with the node name.
name string ​nodeSelector object ​
NodeSelector defines the node selector for the service monitor.
nodeSelector object ​endpoints object[] ​
Endpoints is a list of endpoints to add to the service monitor. By default, vCluster will relabel the node and instance label to the node name.
endpoints object[] ​path string ​
Path is the kubelet path of the endpoint. vCluster will prepend /api/v1/nodes/NODE_NAME to the path.
path string ​params object ​
Params allows you to configure extra parameters to add to the endpoint.
params object ​extraRelabelings object[] ​
ExtraRelabelings allows you to configure extra relabelings to add to the endpoint. By default, vCluster will relabel the node and instance label to the node name.
extraRelabelings object[] ​metricsRelabelings object[] ​
MetricsRelabelings allows you to configure extra metrics relabelings to add to the endpoint.
metricsRelabelings object[] ​interval string ​
Interval is the interval at which to scrape the endpoint.
interval string ​scrapeTimeout string ​
ScrapeTimeout is the timeout for the scrape of the endpoint.
scrapeTimeout string ​spec object ​
Spec allows you to configure extra service monitor options that will be merged into the spec.
spec object ​annotations object ​
Annotations are extra annotations for this resource.
annotations object ​labels object ​
Labels are extra labels for this resource.
labels object ​platform object ​
Platform holds vCluster Platform specific configuration.
platform object ​apiKey object ​
APIKey defines where to find the platform access key and host. By default, vCluster will search in the following locations in this precedence:
- environment variable called LICENSE
- secret specified under platform.apiKey.secretName
- secret called "vcluster-platform-api-key" in the vCluster namespace
apiKey object ​secretName string ​
SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined.
secretName string ​namespace string ​
Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace
where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace.
namespace string ​createRBAC boolean ​
CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified
in the above namespace, if specified.
This defaults to true.
createRBAC boolean ​project string ​
Project specifies which platform project the vcluster should be imported to
project string ​telemetry object ​
Configuration related to telemetry gathered about vCluster usage.
telemetry object ​enabled boolean true ​
Enabled specifies that the telemetry for the vCluster control plane should be enabled.
enabled boolean true ​instanceCreator string ​
instanceCreator string ​machineID string ​
machineID string ​platformUserID string ​
platformUserID string ​platformInstanceID string ​
platformInstanceID string ​snapshots object ​
Snapshots holds configuration for automatic vCluster snapshots.
snapshots object ​auto object ​
Auto holds automatic snapshot configuration
auto object ​schedule string ​
Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken
schedule string ​timezone string ​
Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC.
Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation).
The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".
timezone string ​retention object ​
Retention specifies how long snapshots will be kept
retention object ​period integer ​
Period defines the number of days a snapshot will be kept
period integer ​maxSnapshots integer ​
MaxSnapshots defines the number of snapshots that can be taken
maxSnapshots integer ​storage object ​
Storage specifies where the snapshot will be stored
storage object ​type string ​
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets
type string ​s3 object ​
S3 holds configuration for storing snapshots in S3-compatible bucket
s3 object ​url string ​
Url specifies url to the storage service
url string ​oci object ​
OCI holds configuration for storing snapshots in OCI image registries
oci object ​repository string ​
Repository OCI repository to store the snapshot
repository string ​credential object ​
Credential secret with the OCI Credentials
credential object ​secretName string ​
SecretName is the secret name with credential
secretName string ​secretNamespace string ​
SecretNamespace is the secret namespace with credential
secretNamespace string ​username string ​
Username to authenticate with the OCI registry
username string ​password string ​
Password to authenticate with the OCI registry
password string ​container object ​
Container holds configuration for storing snapshots as local files inside a vCluster container
container object ​path string ​
Path specifies directory to store the snapshot
path string ​azure object ​
Azure holds configuration for storing snapshots in Azure Blob Storage
azure object ​blobUrl string ​
BlobURL specifies the Azure Blob Storage URL in the format https://{account}.blob.core.windows.net/{container}/{path}
blobUrl string ​credential object ​
Credential secret with the Azure credentials. The secret should contain either:
AZURE_STORAGE_KEY (storage account access key), or
AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP (service principal)
credential object ​secretName string ​
SecretName is the secret name with credential
secretName string ​secretNamespace string ​
SecretNamespace is the secret namespace with credential
secretNamespace string ​