Skip to main content
Version: v0.35 Stable

vcluster.yaml configuration

The vcluster.yaml configuration file defines how your tenant cluster operates and integrates with the control plane cluster. Use the vcluster.yaml file to configure vCluster. It allows you to override default settings by specifying resource sync rules, networking behavior, storage options, and authentication methods.

If you're familiar with Helm, you can use vcluster.yaml in the same way as a values.yaml file. All vCluster deployment methods are based on Helm, which ensures consistent behavior across environments.

The configuration file controls resource synchronization between the control plane cluster and the tenant cluster, network access methods, storage persistence, authentication settings, and external service integrations. You can apply most configurations during deployment or upgrades, though some settings like the data store must be configured during initial deployment.

To explore configuration options, review the vCluster chart values file for default settings and available parameters. The vCluster Helm chart also includes a JSON schema for validating vcluster.yaml. For more information on configuration structure, see What is vcluster.yaml?.

Deploy a tenant cluster​

Before you deploy, review the worker node deployment options to determine how the infrastructure of the tenant cluster will be configured.

Once you've chosen your deployment path, read the different ways to deploy:

Config reference​

controlPlane object ​

Configure vCluster's control plane components and deployment.

endpoint string ​

Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.

distro object ​

Distro holds virtual cluster related distro options. A distro cannot be changed after vCluster is deployed.

k8s object ​

K8S holds K8s relevant configuration.

enabled boolean false ​

Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.

version string ​

Version is the Kubernetes version to use.

apiServer object ​

APIServer holds configuration specific to starting the api server.

enabled boolean true ​

Enabled signals this container should be enabled.

command string[] [] ​

Command is the command to start the distro binary. This will override the existing command.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the distro binary.

controllerManager object ​

ControllerManager holds configuration specific to starting the controller manager.

enabled boolean true ​

Enabled signals this container should be enabled.

command string[] [] ​

Command is the command to start the distro binary. This will override the existing command.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the distro binary.

scheduler object ​

Scheduler holds configuration specific to starting the scheduler.

enabled boolean false ​

Enabled signals this container should be enabled.

command string[] [] ​

Command is the command to start the distro binary. This will override the existing command.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the distro binary.

image object ​

Image is the distro image

registry string ghcr.io ​

Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.

repository string loft-sh/kubernetes ​

Repository is the repository of the container image, e.g. my-repo/my-image

tag string v1.36.0 ​

Tag is the tag of the container image, and is the default version.

imagePullPolicy string ​

ImagePullPolicy is the pull policy for the distro image

env object[] [] ​

Env are extra environment variables to use for the main container and NOT the init container.

resources object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]] ​

Resources for the distro init container

securityContext object {} ​

Security options can be used for the distro init container

standalone object ​

Standalone holds configuration for standalone mode. Standalone mode is set automatically when no container is detected and also implies privateNodes.enabled.

enabled boolean ​

Enabled defines if standalone mode should be enabled.

dataDir string /var/lib/vcluster ​

DataDir defines the data directory for the standalone mode.

autoNodes object ​

AutoNodes automatically deploys nodes for standalone mode.

provider string ​

Provider is the node provider of the nodes in this pool.

quantity integer ​

Quantity is the number of nodes to deploy for standalone mode.

nodeTypeSelector object[] ​

NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.

property required string ​

Property is the property on the node type to select.

operator string ​

Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".

values string[] ​

Values is the list of values to use for comparison. This is mutually exclusive with value.

value string ​

Value is the value to use for comparison. This is mutually exclusive with values.

joinNode object ​

JoinNode holds configuration for the standalone control plane node.

enabled boolean true ​

Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.

preInstallCommands string[] ​

PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.

preJoinCommands string[] ​

PreJoinCommands are commands that will be executed before kubeadm join is executed.

postJoinCommands string[] ​

PostJoinCommands are commands that will be executed after kubeadm join is executed.

containerd object ​

Containerd holds configuration for the containerd join process.

enabled boolean true ​

Enabled defines if containerd should be installed and configured by vCluster.

registry object ​

Registry holds configuration for how containerd should be configured to use a registries.

configPath string ​

ConfigPath is the path to the containerd registry config.

mirrors {key: object} ​

Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

server string ​

Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

caCert string[] ​

CACert are paths to CA certificates to use for the containerd registry mirror.

skipVerify boolean ​

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

capabilities string[] ​

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

overridePath boolean ​

OverridePath is a boolean to override the path for the containerd registry mirror.

hosts object[] ​

Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

server string ​

Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.

caCert string[] ​

CACert are paths to CA certificates to use for the containerd registry mirror host.

skipVerify boolean ​

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

capabilities string[] ​

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

overridePath boolean ​

OverridePath is a boolean to override the path for the containerd registry mirror.

auth {key: object} ​

Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.

username string ​

Username is the username for the containerd registry.

password string ​

Password is the password for the containerd registry.

identityToken string ​

IdentityToken is the token for the containerd registry.

auth string ​

Auth is the auth config for the containerd registry.

pauseImage string ​

PauseImage is the image for the pause container.

caCertPath string ​

CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".

skipPhases string[] ​

SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.

nodeRegistration object ​

NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.

criSocket string ​

CRI socket is the socket for the CRI.

kubeletExtraArgs object[] ​

KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.

name string ​

Name is the name of the argument.

value string ​

Value is the value of the argument.

taints object[] ​

Taints are additional taints to set for the kubelet.

key string ​

Required. The taint key to be applied to a node.

value string ​

The taint value corresponding to the taint key.

effect string ​

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

ignorePreflightErrors string[] ​

IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.

imagePullPolicy string ​

ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.

backingStore object ​

BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.

etcd object ​

Etcd defines that etcd should be used as the backend for the virtual cluster

embedded object ​

Embedded defines to use embedded etcd as a storage backend for the virtual cluster

enabled boolean false ​

Enabled defines if the embedded etcd should be used.

migrateFromDeployedEtcd boolean false ​

MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.

snapshotCount integer ​

SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the embedded etcd.

deploy object ​

Deploy defines to use an external etcd that is deployed by the helm chart

enabled boolean false ​

Enabled defines that an external etcd should be deployed.

statefulSet object ​

StatefulSet holds options for the external etcd statefulSet.

enabled boolean true ​

Enabled defines if the statefulSet should be deployed

EnableServiceLinks for the StatefulSet pod

image object ​

Image is the image to use for the external etcd statefulSet

registry string registry.k8s.io ​

Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.

repository string etcd ​

Repository is the repository of the container image, e.g. my-repo/my-image

tag string 3.6.8-0 ​

Tag is the tag of the container image, and is the default version.

imagePullPolicy string ​

ImagePullPolicy is the pull policy for the external etcd image

env object[] [] ​

Env are extra environment variables

extraArgs string[] [] ​

ExtraArgs are appended to the etcd command.

resources object ​

Resources the etcd can consume

limits object ​

Limits are resource limits for the container

requests object map[cpu:20m memory:150Mi] ​

Requests are minimal resources that will be consumed by the container

pods object ​

Pods defines extra metadata for the etcd pods.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

highAvailability object ​

HighAvailability are high availability options

replicas integer 1 ​

Replicas are the amount of pods to use.

scheduling object ​

Scheduling options for the etcd pods.

nodeSelector object {} ​

NodeSelector is the node selector to apply to the pod.

affinity object {} ​

Affinity is the affinity to apply to the pod.

tolerations object[] [] ​

Tolerations are the tolerations to apply to the pod.

priorityClassName string ​

PriorityClassName is the priority class name for the the pod.

podManagementPolicy string Parallel ​

PodManagementPolicy is the statefulSet pod management policy.

topologySpreadConstraints object[] [] ​

TopologySpreadConstraints are the topology spread constraints for the pod.

security object ​

Security options for the etcd pods.

podSecurityContext object {} ​

PodSecurityContext specifies security context options on the pod level.

containerSecurityContext object {} ​

ContainerSecurityContext specifies security context options on the container level.

persistence object ​

Persistence options for the etcd pods.

volumeClaim object ​

VolumeClaim can be used to configure the persistent volume claim.

enabled boolean true ​

Enabled enables deploying a persistent volume claim.

accessModes string[] [ReadWriteOnce] ​

AccessModes are the persistent volume claim access modes.

retentionPolicy string Retain ​

RetentionPolicy is the persistent volume claim retention policy.

size string 5Gi ​

Size is the persistent volume claim storage size.

storageClass string ​

StorageClass is the persistent volume claim storage class.

volumeClaimTemplates object[] [] ​

VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet

addVolumes object[] [] ​

AddVolumes defines extra volumes for the pod

addVolumeMounts object[] ​

AddVolumeMounts defines extra volume mounts for the container

name string ​

This must match the Name of a Volume.

readOnly boolean ​

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

mountPath string ​

Path within the container at which the volume should be mounted. Must not contain ':'.

subPath string ​

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

mountPropagation string ​

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

subPathExpr string ​

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

service object ​

Service holds options for the external etcd service.

enabled boolean true ​

Enabled defines if the etcd service should be deployed

annotations object {} ​

Annotations are extra annotations for the external etcd service

headlessService object ​

HeadlessService holds options for the external etcd headless service.

annotations object {} ​

Annotations are extra annotations for the external etcd headless service

external object ​

External defines to use a self-hosted external etcd that is not deployed by the helm chart

enabled boolean false ​

Enabled defines if the external etcd should be used.

endpoint string ​

Endpoint holds the endpoint of the external etcd server, e.g. my-example-service:2379

tls object ​

TLS defines the tls configuration for the external etcd server

caFile string ​

CaFile is the path to the ca file

certFile string ​

CertFile is the path to the cert file

keyFile string ​

KeyFile is the path to the key file

database object ​

Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.

embedded object ​

Embedded defines that an embedded database (sqlite) should be used as the backend for the virtual cluster

enabled boolean false ​

Enabled defines if the database should be used.

dataSource string ​

DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:

  • mysql: mysql://username:password@tcp(hostname:3306)/vcluster
  • postgres: postgres://username:password@hostname:5432/vcluster
identityProvider string ​

IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:

  • aws: RDS IAM Authentication
keyFile string ​

KeyFile is the key file to use for the database. This is optional.

certFile string ​

CertFile is the cert file to use for the database. This is optional.

caFile string ​

CaFile is the ca file to use for the database. This is optional.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to Kine.

external object ​

External defines that an external database should be used as the backend for the virtual cluster

enabled boolean false ​

Enabled defines if the database should be used.

dataSource string ​

DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:

  • mysql: mysql://username:password@tcp(hostname:3306)/vcluster
  • postgres: postgres://username:password@hostname:5432/vcluster
identityProvider string ​

IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:

  • aws: RDS IAM Authentication
keyFile string ​

KeyFile is the key file to use for the database. This is optional.

certFile string ​

CertFile is the cert file to use for the database. This is optional.

caFile string ​

CaFile is the ca file to use for the database. This is optional.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to Kine.

connector string ​

Connector specifies a secret located in a connected vCluster Platform that contains database server connection information to be used by Platform to create a database and database user for the vCluster. and non-privileged user. A kine endpoint should be created using the database and user on Platform registration. This is optional.

coredns object ​

CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.

enabled boolean true ​

Enabled defines if coredns is enabled

embedded boolean false ​

Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.

security object ​

Security defines pod or container security context.

podSecurityContext object {} ​

PodSecurityContext specifies security context options on the pod level.

containerSecurityContext object {} ​

ContainerSecurityContext specifies security context options on the container level.

service object ​

Service holds extra options for the coredns service deployed within the virtual cluster

spec object map[type:ClusterIP] ​

Spec holds extra options for the coredns service

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

deployment object ​

Deployment holds extra options for the coredns deployment deployed within the virtual cluster

image string ​

Image is the coredns image to use

replicas integer 1 ​

Replicas is the amount of coredns pods to run.

nodeSelector object {} ​

NodeSelector is the node selector to use for coredns.

affinity object {} ​

Affinity is the affinity to apply to the pod.

tolerations object[] [] ​

Tolerations are the tolerations to apply to the pod.

resources object ​

Resources are the desired resources for coredns.

limits object map[cpu:1000m memory:170Mi] ​

Limits are resource limits for the container

requests object map[cpu:20m memory:64Mi] ​

Requests are minimal resources that will be consumed by the container

pods object ​

Pods is additional metadata for the coredns pods.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

topologySpreadConstraints object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]] ​

TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.

overwriteConfig string ​

OverwriteConfig can be used to overwrite the coredns config

overwriteManifests string ​

OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns

priorityClassName string ​

PriorityClassName specifies the priority class name for the CoreDNS pods.

proxy object ​

Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.

bindAddress string 0.0.0.0 ​

BindAddress under which vCluster will expose the proxy.

port integer 8443 ​

Port under which vCluster will expose the proxy. Changing port is currently not supported.

extraSANs string[] [] ​

ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.

hostPathMapper object ​

HostPathMapper defines if vCluster should rewrite host paths.

enabled boolean ​

Enabled specifies if the host path mapper will be used

central boolean ​

Central specifies if the central host path mapper will be used

ingress object ​

Ingress defines options for vCluster ingress deployed by Helm.

enabled boolean false ​

Enabled defines if the control plane ingress should be enabled

host string my-host.com ​

Host is the host where vCluster will be reachable

pathType string ImplementationSpecific ​

PathType is the path type of the ingress

spec object map[tls:[]] ​

Spec allows you to configure extra ingress options.

annotations object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true] ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

tlsRoute object ​

TLSRoute defines options for vCluster TLS route deployed by Helm.

enabled boolean false ​

Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"

apiVersion string gateway.networking.k8s.io/v1 ​

APIVersion is the version of the gateway api tls route.

host string my-host.com ​

Host is the host where vCluster will be reachable

parentRefs object[] [] ​

ParentRefs are the parent references for the TLS route

spec object {} ​

Spec allows you to configure extra tls route options.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

service object ​

Service defines options for vCluster service deployed by Helm.

enabled boolean true ​

Enabled defines if the control plane service should be enabled

spec object map[type:ClusterIP] ​

Spec allows you to configure extra service options.

kubeletNodePort integer 0 ​

KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.

httpsNodePort integer 0 ​

HTTPSNodePort is the node port where https is exposed. Defaults to 0.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

statefulSet object ​

StatefulSet defines options for vCluster statefulSet deployed by Helm.

highAvailability object ​

HighAvailability holds options related to high availability.

replicas integer 1 ​

Replicas is the amount of replicas to use for the statefulSet.

leaseDuration integer 60 ​

LeaseDuration is the time to lease for the leader.

renewDeadline integer 40 ​

RenewDeadline is the deadline to renew a lease for the leader.

retryPeriod integer 15 ​

RetryPeriod is the time until a replica will retry to get a lease.

resources object ​

Resources are the resource requests and limits for the statefulSet container.

limits object map[ephemeral-storage:10Gi memory:4Gi] ​

Limits are resource limits for the container

requests object map[cpu:200m ephemeral-storage:1Gi memory:256Mi] ​

Requests are minimal resources that will be consumed by the container

scheduling object ​

Scheduling holds options related to scheduling.

nodeSelector object {} ​

NodeSelector is the node selector to apply to the pod.

affinity object {} ​

Affinity is the affinity to apply to the pod.

tolerations object[] [] ​

Tolerations are the tolerations to apply to the pod.

priorityClassName string ​

PriorityClassName is the priority class name for the the pod.

podManagementPolicy string Parallel ​

PodManagementPolicy is the statefulSet pod management policy.

topologySpreadConstraints object[] [] ​

TopologySpreadConstraints are the topology spread constraints for the pod.

security object ​

Security defines pod or container security context.

podSecurityContext object {} ​

PodSecurityContext specifies security context options on the pod level.

containerSecurityContext object map[allowPrivilegeEscalation:false runAsGroup:0 runAsUser:0] ​

ContainerSecurityContext specifies security context options on the container level.

probes object ​

Probes enables or disables the main container probes.

livenessProbe object ​

LivenessProbe specifies if the liveness probe for the container should be enabled

enabled boolean true ​

Enabled defines if this option should be enabled.

failureThreshold integer 60 ​

Number of consecutive failures for the probe to be considered failed

initialDelaySeconds integer 60 ​

Time (in seconds) to wait before starting the liveness probe

timeoutSeconds integer 3 ​

Maximum duration (in seconds) that the probe will wait for a response.

periodSeconds integer 2 ​

Frequency (in seconds) to perform the probe

readinessProbe object ​

ReadinessProbe specifies if the readiness probe for the container should be enabled

enabled boolean true ​

Enabled defines if this option should be enabled.

failureThreshold integer 60 ​

Number of consecutive failures for the probe to be considered failed

timeoutSeconds integer 3 ​

Maximum duration (in seconds) that the probe will wait for a response.

periodSeconds integer 2 ​

Frequency (in seconds) to perform the probe

startupProbe object ​

StartupProbe specifies if the startup probe for the container should be enabled

enabled boolean true ​

Enabled defines if this option should be enabled.

failureThreshold integer 300 ​

Number of consecutive failures allowed before failing the pod

timeoutSeconds integer 3 ​

Maximum duration (in seconds) that the probe will wait for a response.

periodSeconds integer 6 ​

Frequency (in seconds) to perform the probe

persistence object ​

Persistence defines options around persistence for the statefulSet.

volumeClaim object ​

VolumeClaim can be used to configure the persistent volume claim.

enabled string|boolean auto ​

Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine based on the chosen distro and other options if this is required.

accessModes string[] [ReadWriteOnce] ​

AccessModes are the persistent volume claim access modes.

retentionPolicy string Retain ​

RetentionPolicy is the persistent volume claim retention policy.

size string 5Gi ​

Size is the persistent volume claim storage size.

storageClass string ​

StorageClass is the persistent volume claim storage class.

volumeClaimTemplates object[] [] ​

VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet

dataVolume object[] [] ​

Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.

binariesVolume object[] [map[emptyDir:map[] name:binaries]] ​

BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.

addVolumes object[] [] ​

AddVolumes defines extra volumes for the pod

addVolumeMounts object[] ​

AddVolumeMounts defines extra volume mounts for the container

name string ​

This must match the Name of a Volume.

readOnly boolean ​

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

mountPath string ​

Path within the container at which the volume should be mounted. Must not contain ':'.

subPath string ​

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

mountPropagation string ​

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

subPathExpr string ​

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

EnableServiceLinks for the StatefulSet pod

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

pods object ​

Additional labels or annotations for the statefulSet pods.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

image object ​

Image is the image for the controlPlane statefulSet container It defaults to the vCluster pro repository that includes the optional pro modules that are turned off by default. If you still want to use the pure OSS build, set the repository to 'loft-sh/vcluster-oss'.

registry string ghcr.io ​

Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.

repository string loft-sh/vcluster-pro ​

Repository is the repository of the container image, e.g. my-repo/my-image

tag string ​

Tag is the tag of the container image, and is the default version.

imagePullPolicy string ​

ImagePullPolicy is the policy how to pull the image.

workingDir string ​

WorkingDir specifies in what folder the main process should get started.

command string[] [] ​

Command allows you to override the main command.

args string[] [] ​

Args allows you to override the main arguments.

env object[] [] ​

Env are additional environment variables for the statefulSet container.

dnsPolicy string ​

Set DNS policy for the pod.

dnsConfig object ​

Specifies the DNS parameters of a pod.

nameservers string[] ​

A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.

searches string[] ​

A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.

options object[] ​

A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.

name string ​

Required.

value string ​

initContainers object[] [] ​

InitContainers are additional init containers for the statefulSet.

sidecarContainers object[] [] ​

SidecarContainers are additional sidecar containers for the statefulSet.

hostAliases object[] ​

HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.

ip string ​
hostnames string[] ​

runtimeClassName string ​

RuntimeClassName is the runtime class to set for the statefulSet pods.

serviceMonitor object ​

ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.

enabled boolean false ​

Enabled configures if Helm should create the service monitor.

labels object {} ​

Labels are the extra labels to add to the service monitor.

annotations object {} ​

Annotations are the extra annotations to add to the service monitor.

advanced object ​

Advanced holds additional configuration for the vCluster control plane.

defaultImageRegistry string ​

DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.

virtualScheduler object ​

VirtualScheduler defines if a scheduler should be used within the virtual cluster or the scheduling decision for workloads will be made by the host cluster. Deprecated: Use ControlPlane.Distro.K8S.Scheduler instead.

enabled boolean false ​

Enabled defines if this option should be enabled.

serviceAccount object ​

ServiceAccount specifies options for the vCluster control plane service account.

enabled boolean true ​

Enabled specifies if the service account should get deployed.

name string ​

Name specifies what name to use for the service account.

imagePullSecrets object[] ​

ImagePullSecrets defines extra image pull secrets for the service account.

name string ​

Name of the image pull secret to use.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

workloadServiceAccount object ​

WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.

enabled boolean true ​

Enabled specifies if the service account for the workloads should get deployed.

name string ​

Name specifies what name to use for the service account for the virtual cluster workloads.

imagePullSecrets object[] ​

ImagePullSecrets defines extra image pull secrets for the workload service account.

name string ​

Name of the image pull secret to use.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

headlessService object ​

HeadlessService specifies options for the headless service used for the vCluster StatefulSet.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

konnectivity object ​

Konnectivity holds dedicated konnectivity configuration. This is only available when privateNodes.enabled is true.

server object ​

Server holds configuration for the konnectivity server.

enabled boolean true ​

Enabled defines if the konnectivity server should be enabled.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the konnectivity server.

agent object ​

Agent holds configuration for the konnectivity agent.

enabled boolean true ​

Enabled defines if the konnectivity agent should be enabled.

replicas integer 1 ​

Replicas is the number of replicas for the konnectivity agent.

image string ​

Image is the image for the konnectivity agent.

imagePullPolicy string ​

ImagePullPolicy is the policy how to pull the image.

nodeSelector object {} ​

NodeSelector is the node selector for the konnectivity agent.

priorityClassName string ​

PriorityClassName is the priority class name for the konnectivity agent.

tolerations object[] [] ​

Tolerations is the tolerations for the konnectivity agent.

extraEnv object[] [] ​

ExtraEnv is the extra environment variables for the konnectivity agent.

extraArgs string[] [] ​

ExtraArgs are additional arguments to pass to the konnectivity agent.

registry object ​

Registry allows enabling an embedded docker image registry in vCluster. This is useful for air-gapped environments or when you don't have a public registry available to distribute images.

enabled boolean false ​

Enabled defines if the embedded registry should be enabled.

anonymousPull boolean true ​

AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.

config object {} ​

Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.

cloudControllerManager object ​

CloudControllerManager holds configuration for the embedded cloud controller manager. This is only available when private nodes are enabled. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.

enabled boolean true ​

Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.

globalMetadata object ​

GlobalMetadata is metadata that will be added to all resources deployed by Helm.

annotations object {} ​

Annotations are extra annotations for this resource.

kubeVip object ​

KubeVip holds configuration for embedded kube-vip that announces the virtual cluster endpoint IP on layer 2.

enabled boolean false ​

Enabled defines if embedded kube-vip should be enabled.

interface string ​

Interface is the network interface on which the VIP is announced.

gateway string ​

Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24). This is used to configure policy-based routing for the VIP and must include the subnet prefix.

podDisruptionBudget object ​

PodDisruptionBudget limits how many pods of an application can be voluntarily disrupted at once to ensure availability during maintenance or scaling operations.

enabled boolean false ​

Enabled defines if the pod disruption budget should be enabled.

minAvailable object ​

MinAvailable describes the minimal number or percentage of available pods.

maxUnavailable object ​

MaxUnavailable describes the minimal number or percentage of unavailable pods.

unhealthyPodEvictionPolicy string ​

UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction. Currently supported values are:

  • IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted and may be evicted even if the PodDisruptionBudget criteria are not met.
  • AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met.

logging object ​

Logging provides structured logging options

encoding string console ​

Encoding specifies the format of vCluster logs, it can either be json or console.

privateNodes object ​

PrivateNodes holds configuration for vCluster private nodes mode.

enabled boolean false ​

Enabled defines if dedicated nodes should be enabled.

kubelet object ​

Kubelet holds kubelet configuration that is used for all nodes.

config object {} ​

Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration

autoUpgrade object ​

AutoUpgrade holds configuration for auto upgrade.

enabled boolean true ​

Enabled defines if auto upgrade should be enabled.

image string ​

Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.

imagePullPolicy string ​

ImagePullPolicy is the policy how to pull the image.

nodeSelector object ​

NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.

binariesPath string ​

BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin

cniBinariesPath string ​

CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin

concurrency integer 1 ​

Concurrency is the number of nodes that can be upgraded at the same time.

podSecurityContext object {} ​

PodSecurityContext specifies security context options on the pod level for the upgrade pod.

containerSecurityContext object {} ​

ContainerSecurityContext specifies security context options on the container level for the upgrade container.

joinNode object ​

JoinNode holds configuration specifically used during joining the node (see "kubeadm join").

preInstallCommands string[] ​

PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.

preJoinCommands string[] ​

PreJoinCommands are commands that will be executed before kubeadm join is executed.

postJoinCommands string[] ​

PostJoinCommands are commands that will be executed after kubeadm join is executed.

containerd object ​

Containerd holds configuration for the containerd join process.

enabled boolean true ​

Enabled defines if containerd should be installed and configured by vCluster.

registry object ​

Registry holds configuration for how containerd should be configured to use a registries.

configPath string ​

ConfigPath is the path to the containerd registry config.

mirrors {key: object} ​

Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

server string ​

Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

caCert string[] ​

CACert are paths to CA certificates to use for the containerd registry mirror.

skipVerify boolean ​

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

capabilities string[] ​

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

overridePath boolean ​

OverridePath is a boolean to override the path for the containerd registry mirror.

hosts object[] ​

Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

server string ​

Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.

caCert string[] ​

CACert are paths to CA certificates to use for the containerd registry mirror host.

skipVerify boolean ​

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

capabilities string[] ​

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

overridePath boolean ​

OverridePath is a boolean to override the path for the containerd registry mirror.

auth {key: object} ​

Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.

username string ​

Username is the username for the containerd registry.

password string ​

Password is the password for the containerd registry.

identityToken string ​

IdentityToken is the token for the containerd registry.

auth string ​

Auth is the auth config for the containerd registry.

pauseImage string ​

PauseImage is the image for the pause container.

caCertPath string ​

CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".

skipPhases string[] ​

SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.

nodeRegistration object ​

NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.

criSocket string ​

CRI socket is the socket for the CRI.

kubeletExtraArgs object[] ​

KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.

name string ​

Name is the name of the argument.

value string ​

Value is the value of the argument.

taints object[] ​

Taints are additional taints to set for the kubelet.

key string ​

Required. The taint key to be applied to a node.

value string ​

The taint value corresponding to the taint key.

effect string ​

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

ignorePreflightErrors string[] ​

IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.

imagePullPolicy string ​

ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.

autoNodes object[] ​

AutoNodes stores auto nodes configuration.

provider required string ​

Provider is the node provider of the nodes in this pool.

properties object ​

Properties are the node provider properties. This is a simple key value map and can contain things like region, subscription, etc. that is then used by the node provider to create the nodes and node environment.

static object[] ​

Static defines static node pools. Static node pools have a fixed size and are not scaled automatically.

name required string ​

Name is the name of this static nodePool

nodeTypeSelector object[] ​

NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.

property required string ​

Property is the property on the node type to select.

operator string ​

Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".

values string[] ​

Values is the list of values to use for comparison. This is mutually exclusive with value.

value string ​

Value is the value to use for comparison. This is mutually exclusive with values.

taints object[] ​

Taints are the taints to apply to the nodes in this pool.

key string ​

Required. The taint key to be applied to a node.

value string ​

The taint value corresponding to the taint key.

effect string ​

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

nodeLabels object ​

NodeLabels are the labels to apply to the nodes in this pool.

terminationGracePeriod string ​

TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.

Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.

This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period. When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.

Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod. If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout, that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.

The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks. Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.

quantity required integer ​

Quantity is the number of desired nodes in this pool.

dynamic object[] ​

Dynamic defines dynamic node pools. Dynamic node pools are scaled automatically based on the requirements within the cluster. Karpenter is used under the hood to handle the scheduling of the nodes.

name required string ​

Name is the name of this NodePool

nodeTypeSelector object[] ​

NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.

property required string ​

Property is the property on the node type to select.

operator string ​

Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".

values string[] ​

Values is the list of values to use for comparison. This is mutually exclusive with value.

value string ​

Value is the value to use for comparison. This is mutually exclusive with values.

taints object[] ​

Taints are the taints to apply to the nodes in this pool.

key string ​

Required. The taint key to be applied to a node.

value string ​

The taint value corresponding to the taint key.

effect string ​

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

nodeLabels object ​

NodeLabels are the labels to apply to the nodes in this pool.

limits object ​

Limits specify the maximum resources that can be provisioned by this node pool, mapping to the 'limits' field in Karpenter's NodePool API.

disruption object ​

Disruption contains the parameters that relate to Karpenter's disruption logic

consolidateAfter string ​

ConsolidateAfter is the duration the controller will wait before attempting to terminate nodes that are underutilized. Refer to ConsolidationPolicy for how underutilization is considered.

consolidationPolicy string ​

ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation algorithm. This policy defaults to "WhenEmptyOrUnderutilized" if not specified

budgets object[] ​

Budgets is a list of Budgets. If there are multiple active budgets, Karpenter uses the most restrictive value. If left undefined, this will default to one budget with a value to 10%.

nodes string ​

Nodes dictates the maximum number of NodeClaims owned by this NodePool that can be terminating at once. This is calculated by counting nodes that have a deletion timestamp set, or are actively being deleted by Karpenter. This field is required when specifying a budget.

schedule string ​

Schedule specifies when a budget begins being active, following the upstream cronjob syntax. If omitted, the budget is always active. Timezones are not supported.

duration string ​

Duration determines how long a Budget is active since each Schedule hit. Only minutes and hours are accepted, as cron does not work in seconds. If omitted, the budget is always active. This is required if Schedule is set.

terminationGracePeriod string ​

TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.

Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.

This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period. When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.

Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod. If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout, that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.

The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks. Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.

expireAfter string ​

The amount of time a Node can live on the cluster before being removed

weight integer ​

Weight is the weight of this node pool.

vpn object ​

VPN holds configuration for the private nodes vpn. This can be used to connect the private nodes to the control plane or connect the private nodes to each other if they are not running in the same network. Platform connection is required for the vpn to work.

enabled boolean false ​

Enabled defines if the private nodes vpn should be enabled.

nodeToNode object ​

NodeToNode holds configuration for the node to node vpn. This can be used to connect the private nodes to each other if they are not running in the same network.

enabled boolean false ​

Enabled defines if the node to node vpn should be enabled.

daemon object ​

Daemon holds configuration for the private nodes daemon that is deployed on the nodes.

enabled boolean false ​

Enabled defines if the private nodes daemon should be enabled.

controlPlaneLoadBalancer object ​

ControlPlaneLoadBalancer holds configuration for the control plane load balancer. This is used to load balance the control plane traffic on the node to the control plane nodes. This is useful to achieve true high availability for the control plane without having to deploy a separate load balancer.

enabled boolean false ​

Enabled defines if the control plane load balancer should be enabled. The control plane load balancer is used to load balance the control plane traffic on the node to the control plane nodes.

kubeProxy boolean true ​

KubeProxy defines if the kube proxy should be proxied through the control plane load balancer as well.

port integer 11343 ​

Port defines the port for the control plane load balancer.

exportKubeConfig object ​

ExportKubeConfig describes how vCluster should export the vCluster kubeConfig file.

context string ​

Context is the name of the context within the generated kubeconfig to use.

server string ​

Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.

insecure boolean false ​

If tls should get skipped for the server

serviceAccount object ​

ServiceAccount can be used to generate a service account token instead of the default certificates.

name string ​

Name of the service account to be used to generate a service account token instead of the default certificates.

namespace string ​

Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.

clusterRole string ​

ClusterRole to assign to the service account.

secret object ​

Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig. If this is not defined, vCluster will create it with vc-NAME. If you specify another name, vCluster creates the config in this other secret.

Deprecated: Use AdditionalSecrets instead.

name string ​

Name is the name of the secret where the kubeconfig should get stored.

namespace string ​

Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.

additionalSecrets object[] ​

AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the generated virtual cluster kubeconfigs.

context string ​

Context is the name of the context within the generated kubeconfig to use.

server string ​

Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.

insecure boolean ​

If tls should get skipped for the server

serviceAccount object ​

ServiceAccount can be used to generate a service account token instead of the default certificates.

name string ​

Name of the service account to be used to generate a service account token instead of the default certificates.

namespace string ​

Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.

clusterRole string ​

ClusterRole to assign to the service account.

name string ​

Name is the name of the secret where the kubeconfig is stored.

namespace string ​

Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.

sync object ​

Sync describes how to sync resources from the virtual cluster to host cluster and back.

toHost object ​

Configure resources to sync from the virtual cluster to the host cluster.

pods object ​

Pods defines if pods created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if pod syncing should be enabled.

translateImage object {} ​

TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster

enforceTolerations string[] [] ​

EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.

useSecretsForSATokens boolean false ​

UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.

runtimeClassName string ​

RuntimeClassName is the runtime class to set for synced pods.

priorityClassName string ​

PriorityClassName is the priority class to set for synced pods.

rewriteHosts object ​

RewriteHosts is a special option needed to rewrite statefulset containers to allow the correct FQDN. virtual cluster will add a small container to each stateful set pod that will initially rewrite the /etc/hosts file to match the FQDN expected by the virtual cluster.

enabled boolean true ​

Enabled specifies if rewriting stateful set pods should be enabled.

initContainer object ​

InitContainer holds extra options for the init container used by vCluster to rewrite the FQDN for stateful set pods.

image object ​

Image is the image virtual cluster should use to rewrite this FQDN.

registry string mirror.gcr.io ​

Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.

repository string library/alpine ​

Repository is the repository of the container image, e.g. my-repo/my-image

tag string 3.20 ​

Tag is the tag of the container image, and is the default version.

resources object ​

Resources are the resources that should be assigned to the init container for each stateful set init container.

limits object map[cpu:30m memory:64Mi] ​

Limits are resource limits for the container

requests object map[cpu:30m memory:64Mi] ​

Requests are minimal resources that will be consumed by the container

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

hybridScheduling object ​

HybridScheduling is used to enable and configure hybrid scheduling for pods in the virtual cluster.

enabled boolean false ​

Enabled specifies if hybrid scheduling is enabled.

hostSchedulers string[] [] ​

HostSchedulers is a list of schedulers that are deployed on the host cluster.

secrets object ​

Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

all boolean false ​

All defines if all resources of that type should get synced or only the necessary ones that are needed.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

configMaps object ​

ConfigMaps defines if config maps created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

all boolean false ​

All defines if all resources of that type should get synced or only the necessary ones that are needed.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

ingresses object ​

Ingresses defines if ingresses created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

gatewayApi object ​

GatewayAPI defines Gateway API resources created within the tenant cluster that should get synced to the control plane cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

httpRoutes object ​

HTTPRoutes configures HTTPRoute sync to the control plane cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

gateways object ​

Gateways configures tenant-created Gateway sync to the control plane cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

tlsRoutes object ​

TLSRoutes configures TLSRoute sync to the control plane cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

backendTLSPolicies object ​

BackendTLSPolicies configures BackendTLSPolicy sync to the control plane cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

referenceGrants object ​

ReferenceGrants configures ReferenceGrant sync to the control plane cluster. Enabled may be "auto", "true", or "false".

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

services object ​

Services defines if services created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

endpoints object ​

Endpoints defines if endpoints created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

endpointSlices object ​

EndpointSlices defines if endpointslices created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

networkPolicies object ​

NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

persistentVolumeClaims object ​

PersistentVolumeClaims defines if persistent volume claims created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

persistentVolumes object ​

PersistentVolumes defines if persistent volumes created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

volumeSnapshots object ​

VolumeSnapshots defines if volume snapshots created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

volumeSnapshotContents object ​

VolumeSnapshotContents defines if volume snapshot contents created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

storageClasses object ​

StorageClasses defines if storage classes created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

serviceAccounts object ​

ServiceAccounts defines if service accounts created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

podDisruptionBudgets object ​

PodDisruptionBudgets defines if pod disruption budgets created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

priorityClasses object ​

PriorityClasses defines if priority classes created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

customResources {key: object} ​

CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup. vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.

enabled required boolean ​

Enabled defines if this option should be enabled.

scope string ​

Scope defines the scope of the resource. If undefined, will use Namespaced. Currently only Namespaced is supported.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

namespaces object ​

Namespaces defines if namespaces created within the virtual cluster should get synced to the host cluster.

enabled required boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

mappings object ​

Mappings for Namespace and Object

byName object ​

ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name. There are several wildcards supported:

  1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster: byName: "foo/": "foo-in-virtual/"
  2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
  3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name: byName: "foo/my-object": "foo/my-virtual-object"
  4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "": "my-virtual-namespace/*"
  5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "/my-object": "my-virtual-namespace/my-object"
mappingsOnly boolean false ​

MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.

extraLabels object ​

ExtraLabels are additional labels to add to the namespace in the host cluster.

resourceClaims object ​

ResourceClaim defines if resource claims created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

resourceClaimTemplates object ​

ResourceClaimTemplates defines if resourceClaimTemplates created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

fromHost object ​

Configure what resources vCluster should sync from the host cluster to the virtual cluster.

nodes object ​

Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean false ​

Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.

syncBackChanges boolean false ​

SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.

clearImageStatus boolean false ​

ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.

selector object ​

Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.

all boolean false ​

All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.

labels object {} ​

Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

events object ​

Events defines if events should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean true ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

ingressClasses object ​

IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

gatewayClasses object ​

GatewayClasses defines if gateway classes should get synced from the control plane cluster to the tenant cluster, but not back.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

gateways object ​

Gateways defines if selected control plane Gateways should get synced from the control plane cluster to the tenant cluster, but not back.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
mappings object ​

Mappings define control plane Gateway namespace/name to tenant-facing namespace/name placement.

byName object {} ​

ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name. There are several wildcards supported:

  1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster: byName: "foo/": "foo-in-virtual/"
  2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
  3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name: byName: "foo/my-object": "foo/my-virtual-object"
  4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "": "my-virtual-namespace/*"
  5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "/my-object": "my-virtual-namespace/my-object"
allowedRoutes object ​

AllowedRoutes configures the tenant-facing allowedRoutes policy shown on imported Gateways and enforced for Routes.

defaultVirtualNamespacePolicy object ​
from string ​
selector object ​
matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
overrides object[] ​
hostNamespace string ​
name string ​
virtualNamespacePolicy object ​
from string ​
selector object ​
matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
allowedHostnames string[] ​
status object ​

Status configures how Gateway status is mirrored.

exposeAddresses boolean false ​
metadata object ​

Metadata configures imported Gateway metadata visibility.

exposeSourceGateway boolean false ​
sanitize object ​

Sanitize configures sensitive control plane field sanitization.

certificateRefs boolean true ​
infrastructure boolean true ​

runtimeClasses object ​

RuntimeClasses defines if runtime classes should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

priorityClasses object ​

PriorityClasses defines if priority classes classes should get synced from the host cluster to the virtual cluster, but not back.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

storageClasses object ​

StorageClasses defines if storage classes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

csiNodes object ​

CSINodes defines if csi nodes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

csiDrivers object ​

CSIDrivers defines if csi drivers should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

csiStorageCapacities object ​

CSIStorageCapacities defines if csi storage capacities should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

customResources {key: object} ​

CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.

enabled required boolean ​

Enabled defines if this option should be enabled.

scope required string ​

Scope defines the scope of the resource

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

mappings object ​

Mappings for Namespace and Object

byName object ​

ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name. There are several wildcards supported:

  1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster: byName: "foo/": "foo-in-virtual/"
  2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
  3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name: byName: "foo/my-object": "foo/my-virtual-object"
  4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "": "my-virtual-namespace/*"
  5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "/my-object": "my-virtual-namespace/my-object"

volumeSnapshotClasses object ​

VolumeSnapshotClasses defines if volume snapshot classes created within the virtual cluster should get synced to the host cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

configMaps object ​

ConfigMaps defines if config maps in the host should get synced to the virtual cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

mappings object ​

Mappings for Namespace and Object

byName object {} ​

ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name. There are several wildcards supported:

  1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster: byName: "foo/": "foo-in-virtual/"
  2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
  3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name: byName: "foo/my-object": "foo/my-virtual-object"
  4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "": "my-virtual-namespace/*"
  5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "/my-object": "my-virtual-namespace/my-object"

secrets object ​

Secrets defines if secrets in the host should get synced to the virtual cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

mappings object ​

Mappings for Namespace and Object

byName object {} ​

ByName is a map of control-plane-object-namespace/control-plane-object-name: tenant-object-namespace/tenant-object-name. There are several wildcards supported:

  1. To match all objects in a control plane namespace and sync them to a different namespace in the tenant cluster: byName: "foo/": "foo-in-virtual/"
  2. To match a specific object in the control plane namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
  3. To match a specific object in the control plane namespace and sync it to the same namespace with a different name: byName: "foo/my-object": "foo/my-virtual-object"
  4. To match all objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "": "my-virtual-namespace/*"
  5. To match specific objects in the vCluster namespace and sync them to a different namespace in the tenant cluster: byName: "/my-object": "my-virtual-namespace/my-object"

deviceClasses object ​

DeviceClasses defines if device classes in the host should get synced to the virtual cluster

enabled boolean false ​

Enabled defines if this option should be enabled.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.

selector object ​

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​

integrations object ​

Integrations holds config for vCluster integrations with other operators or tools running on the host cluster

metricsServer object ​

MetricsServer reuses the metrics server from the host cluster within the vCluster.

enabled boolean false ​

Enabled signals the metrics server integration should be enabled.

apiService object ​

APIService holds information about where to find the metrics-server service. Defaults to metrics-server/kube-system.

service object ​

Service is a reference to the service for the API server.

name string ​

Name is the name of the host service of the apiservice.

namespace string ​

Namespace is the name of the host service of the apiservice.

port integer ​

Port is the target port on the host service to connect to.

nodes boolean true ​

Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.

pods boolean true ​

Pods defines if metrics-server pods api should get proxied from host to virtual cluster.

kubeVirt object ​

KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster

enabled boolean false ​

Enabled signals if the integration should be enabled

apiService object ​

APIService holds information about where to find the virt-api service. Defaults to virt-api/kubevirt.

service object ​

Service is a reference to the service for the API server.

name string ​

Name is the name of the host service of the apiservice.

namespace string ​

Namespace is the name of the host service of the apiservice.

port integer ​

Port is the target port on the host service to connect to.

webhook object ​

Webhook holds configuration for enabling the webhook within the vCluster

enabled boolean true ​

Enabled defines if this option should be enabled.

sync object ​

Sync holds configuration on what resources to sync

dataVolumes object ​

If DataVolumes should get synced

enabled boolean false ​

Enabled defines if this option should be enabled.

virtualMachineInstanceMigrations object ​

If VirtualMachineInstanceMigrations should get synced

enabled boolean true ​

Enabled defines if this option should be enabled.

virtualMachineInstances object ​

If VirtualMachineInstances should get synced

enabled boolean true ​

Enabled defines if this option should be enabled.

virtualMachines object ​

If VirtualMachines should get synced

enabled boolean true ​

Enabled defines if this option should be enabled.

virtualMachineClones object ​

If VirtualMachineClones should get synced

enabled boolean true ​

Enabled defines if this option should be enabled.

virtualMachinePools object ​

If VirtualMachinePools should get synced

enabled boolean true ​

Enabled defines if this option should be enabled.

externalSecrets object ​

ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.

  • ExternalSecrets will be synced from the virtual cluster to the host cluster.
  • SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
  • ClusterSecretStores will be synced from the host cluster to the virtual cluster.

enabled boolean false ​

Enabled defines whether the external secret integration is enabled or not

version string ​

Version defines the version of the external secrets operator to use. If empty, the storage version will be used.

webhook object ​

Webhook defines whether the host webhooks are reused or not

enabled boolean false ​

Enabled defines if this option should be enabled.

sync object ​

Sync defines the syncing behavior for the integration

toHost object ​

ToHost defines what resources are synced from the virtual cluster to the host

externalSecrets object ​

ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.

selector object ​
matchLabels object {} ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
stores object ​

Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.

selector object ​
matchLabels object {} ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
enabled boolean false ​

Enabled defines if this option should be enabled.

fromHost object ​

FromHost defines what resources are synced from the host cluster to the virtual cluster

clusterStores object ​

ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.

selector object ​
matchLabels object {} ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
enabled boolean false ​

Enabled defines if this option should be enabled.

certManager object ​

CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.

  • Certificates and Issuers will be synced from the virtual cluster to the host cluster.
  • ClusterIssuers will be synced from the host cluster to the virtual cluster.

enabled boolean false ​

Enabled defines if this option should be enabled.

sync object ​

Sync contains advanced configuration for syncing cert-manager resources.

toHost object ​
certificates object ​

Certificates defines if certificates should get synced from the virtual cluster to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

issuers object ​

Issuers defines if issuers should get synced from the virtual cluster to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

fromHost object ​
clusterIssuers object ​

ClusterIssuers defines if (and which) cluster issuers should get synced from the host cluster to the virtual cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

selector object ​

Selector defines what cluster issuers should be imported.

labels object {} ​

Labels defines what labels should be looked for

istio object ​

Istio syncs DestinationRules, Gateways and VirtualServices from virtual cluster to the host.

enabled boolean false ​

Enabled defines if this option should be enabled.

sync object ​

toHost object ​
destinationRules object ​
enabled boolean true ​

Enabled defines if this option should be enabled.

gateways object ​
enabled boolean true ​

Enabled defines if this option should be enabled.

virtualServices object ​
enabled boolean true ​

Enabled defines if this option should be enabled.

netris object ​

Netris integration helps configuring netris networking for vCluster.

enabled boolean ​

Enabled defines if netris integration is enabled

connector string ​

Connector specifies the netris connector name

kubeVip object ​

KubeVip holds kube-vip configuration for netris

serverCluster string ​

ServerCluster specifies the server cluster name

bridge string ​

Bridge specifies the bridge interface name

ipRange string ​

IPRange specifies the IP range for kube-vip

argoCD object ​

ArgoCD integration helps configuring ArgoCD for vCluster.

enabled boolean ​

Enabled defines if argo cd integration is enabled

connector string ​

Connector specifies the argo cd connector name

networking object ​

Networking options related to the virtual cluster.

serviceCIDR string ​

ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.

podCIDR string 10.244.0.0/16 ​

PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.

replicateServices object ​

ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.

toHost object[] ​

ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace are required.

from string ​

From is the service that should get synced. Can be either in the form name or namespace/name.

to string ​

To is the target service that it should get synced to. Can be either in the form name or namespace/name.

fromHost object[] ​

FromHost defines the services that should get synced from the host to the virtual cluster.

from string ​

From is the service that should get synced. Can be either in the form name or namespace/name.

to string ​

To is the target service that it should get synced to. Can be either in the form name or namespace/name.

resolveDNS object[] ​

ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.

hostname string ​

Hostname is the hostname within the vCluster that should be resolved from.

service string ​

Service is the virtual cluster service that should be resolved from.

namespace string ​

Namespace is the virtual cluster namespace that should be resolved from.

target object ​

Target is the DNS target that should get mapped to

hostname string ​

Hostname to use as a DNS target

ip string ​

IP to use as a DNS target

hostService string ​

HostService to target, format is hostNamespace/hostService

hostNamespace string ​

HostNamespace to target

vClusterService string ​

VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService

advanced object ​

Advanced holds advanced network options.

clusterDomain string cluster.local ​

ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.

fallbackHostCluster boolean false ​

FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace

proxyKubelets object ​

ProxyKubelets allows rewriting certain metrics and stats from the Kubelet to "fake" this for applications such as prometheus or other node exporters.

byHostname boolean true ​

ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.

byIP boolean true ​

ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.

policies object ​

Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.

networkPolicy object ​

NetworkPolicy specifies network policy options.

enabled boolean false ​

Enabled defines if the network policy should be deployed by vCluster.

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

fallbackDns string 8.8.8.8 ​

FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.

controlPlane object ​

ControlPlane network policy rules

ingress object[] ​

Ingress rules for the vCluster control plane.

ports object[] ​

ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

protocol string ​

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port object ​

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

endPort integer ​

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

from object[] ​

from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

podSelector object ​

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
namespaceSelector object ​

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
ipBlock object ​

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

cidr string ​

CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"

except string[] ​

Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64".

egress object[] ​

Egress rules for the vCluster control plane.

ports object[] ​

ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

protocol string ​

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port object ​

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

endPort integer ​

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

to object[] ​

to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

podSelector object ​

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
namespaceSelector object ​

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
ipBlock object ​

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

cidr string ​

CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"

except string[] ​

Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64".

workload object ​

Workload network policy rules

publicEgress object ​

PublicEgress holds the public outgoing connections options for the vCluster workloads.

enabled boolean true ​

Enabled defines if the workload public egress should be enabled or disabled.

cidr string 0.0.0.0/0 ​

CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"

except string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ​

Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64".

ingress object[] ​

Ingress rules for the vCluster workloads.

ports object[] ​

ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

protocol string ​

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port object ​

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

endPort integer ​

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

from object[] ​

from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

podSelector object ​

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
namespaceSelector object ​

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
ipBlock object ​

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

cidr string ​

CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"

except string[] ​

Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64".

egress object[] ​

Egress rules for the vCluster workloads.

ports object[] ​

ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

protocol string ​

protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port object ​

port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

endPort integer ​

endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.

to object[] ​

to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

podSelector object ​

podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
namespaceSelector object ​

namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector.

matchLabels object ​
matchExpressions object[] ​
key string ​
operator string ​
values string[] ​
ipBlock object ​

ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

cidr string ​

CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"

except string[] ​

Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64".

podSecurityStandard string ​

PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged

resourceQuota object ​

ResourceQuota specifies resource quota options.

enabled string|boolean auto ​

Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.

quota object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] ​

Quota are the quota options

scopeSelector object map[matchExpressions:[]] ​

ScopeSelector is the resource quota scope selector

scopes string[] [] ​

Scopes are the resource quota scopes

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

limitRange object ​

LimitRange specifies limit range options.

enabled string|boolean auto ​

Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.

default object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] ​

Default are the default limits for the limit range

defaultRequest object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] ​

DefaultRequest are the default request options for the limit range

max object {} ​

Max are the max limits for the limit range

min object {} ​

Min are the min limits for the limit range

annotations object {} ​

Annotations are extra annotations for this resource.

labels object {} ​

Labels are extra labels for this resource.

centralAdmission object ​

CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.

validatingWebhooks object[] ​

ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster

kind string ​

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

apiVersion string ​

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

metadata object ​

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

name string ​

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

labels object ​

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

annotations object ​

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

webhooks object[] ​

Webhooks is a list of webhooks and the affected resources and operations.

name string ​

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

clientConfig object ​

ClientConfig defines how to communicate with the hook.

url string ​

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

service object ​

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

namespace string ​

Namespace is the namespace of the service.

name string ​

Name is the name of the service.

path string ​

Path is an optional URL path which will be sent in any request to this service.

port integer ​

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

caBundle string ​

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

rules object[] ​

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

failurePolicy string ​

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

matchPolicy string ​

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

namespaceSelector object ​

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

objectSelector object ​

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.

sideEffects string ​

SideEffects states whether this webhook has side effects.

timeoutSeconds integer ​

TimeoutSeconds specifies the timeout for this webhook.

admissionReviewVersions string[] ​

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

matchConditions object[] ​

MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

mutatingWebhooks object[] ​

MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster

kind string ​

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

apiVersion string ​

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

metadata object ​

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

name string ​

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

labels object ​

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

annotations object ​

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

webhooks object[] ​

Webhooks is a list of webhooks and the affected resources and operations.

reinvocationPolicy string ​

reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".

name string ​

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

clientConfig object ​

ClientConfig defines how to communicate with the hook.

url string ​

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

service object ​

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

namespace string ​

Namespace is the namespace of the service.

name string ​

Name is the name of the service.

path string ​

Path is an optional URL path which will be sent in any request to this service.

port integer ​

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

caBundle string ​

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

rules object[] ​

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

failurePolicy string ​

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

matchPolicy string ​

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

namespaceSelector object ​

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

objectSelector object ​

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.

sideEffects string ​

SideEffects states whether this webhook has side effects.

timeoutSeconds integer ​

TimeoutSeconds specifies the timeout for this webhook.

admissionReviewVersions string[] ​

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

matchConditions object[] ​

MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

rbac object ​

RBAC options for the virtual cluster.

role object ​

Role holds virtual cluster role configuration

enabled boolean true ​

Enabled defines if the role should be enabled or disabled.

extraRules object[] [] ​

ExtraRules will add rules to the role.

overwriteRules object[] [] ​

OverwriteRules will overwrite the role rules completely.

clusterRole object ​

ClusterRole holds virtual cluster cluster role configuration

enabled string|boolean auto ​

Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.

extraRules object[] [] ​

ExtraRules will add rules to the cluster role.

overwriteRules object[] [] ​

OverwriteRules will overwrite the cluster role rules completely.

enableVolumeSnapshotRules object ​

EnableVolumeSnapshotRules enables all required volume snapshot rules in the Role and ClusterRole.

enabled string|boolean auto ​

Enabled defines if this option should be enabled.

sleep object ​

Sleep holds configuration for automatically putting the virtual cluster to sleep.

auto object ​

Auto holds automatic sleep configuration

afterInactivity string ​

AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep

schedule string ​

Schedule represents a cron schedule for when to sleep workloads

exclude object ​

Exclude holds configuration for labels that, if present, will prevent a workload from going to sleep

selector object ​
labels object ​

Labels defines what labels should be looked for

wakeup object ​

Wakeup holds configuration for waking the vCluster on a schedule

schedule string ​

timezone string ​

Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".

plugins {key: object} ​

Define which vCluster plugins to load.

name string ​

Name is the name of the init-container and NOT the plugin name

image string ​

Image is the container image that should be used for the plugin

imagePullPolicy string ​

ImagePullPolicy is the pull policy to use for the container image

config object ​

Config is the plugin config to use. This can be arbitrary config used for the plugin.

rbac object ​

RBAC holds additional rbac configuration for the plugin

role object ​

Role holds extra virtual cluster role permissions for the plugin

extraRules object[] ​

ExtraRules are extra rbac permissions roles that will be added to role or cluster role

verbs string[] ​

Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.

apiGroups string[] ​

APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.

resources string[] ​

Resources is a list of resources this rule applies to. '*' represents all resources.

resourceNames string[] ​

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

nonResourceURLs string[] ​

NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.

clusterRole object ​

ClusterRole holds extra virtual cluster cluster role permissions required for the plugin

extraRules object[] ​

ExtraRules are extra rbac permissions roles that will be added to role or cluster role

verbs string[] ​

Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.

apiGroups string[] ​

APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.

resources string[] ​

Resources is a list of resources this rule applies to. '*' represents all resources.

resourceNames string[] ​

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

nonResourceURLs string[] ​

NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.

command string[] ​

Command is the command that should be used for the init container

args string[] ​

Args are the arguments that should be used for the init container

securityContext object ​

SecurityContext is the container security context used for the init container

resources object ​

Resources are the container resources used for the init container

volumeMounts object[] ​

VolumeMounts are extra volume mounts for the init container

experimental object ​

Experimental features for vCluster. Configuration here might change, so be careful with this.

deploy object ​

Deploy allows you to configure manifests and Helm charts to deploy within the host or virtual cluster.

host object ​

Host defines what manifests to deploy into the host cluster

manifests string ​

Manifests are raw Kubernetes manifests that should get applied within the host cluster.

manifestsTemplate string ​

ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.

vcluster object ​

VCluster defines what manifests and charts to deploy into the vCluster

manifests string ​

Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.

manifestsTemplate string ​

ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.

helm object[] ​

Helm are Helm charts that should get deployed into the virtual cluster

chart object ​

Chart defines what chart should get deployed.

name string ​
repo string ​
insecure boolean ​
version string ​
username string ​
password string ​
release object ​

Release defines what release should get deployed.

name string ​

Name of the release

namespace string ​

Namespace of the release

values string ​

Values defines what values should get used.

timeout string ​

Timeout defines the timeout for Helm

bundle string ​

Bundle allows to compress the Helm chart and specify this instead of an online chart

syncSettings object ​

SyncSettings are advanced settings for the syncer controller.

setOwner boolean true ​

SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.

hostMetricsBindAddress string ​

HostMetricsBindAddress is the bind address for the local manager

virtualMetricsBindAddress string ​

VirtualMetricsBindAddress is the bind address for the virtual manager

virtualClusterKubeConfig object ​

VirtualClusterKubeConfig allows you to override distro specifics and specify where vCluster will find the required certificates and vCluster config. Deprecated: Removed in 0.29.0.

kubeConfig string ​

KubeConfig is the virtual cluster kubeconfig path.

serverCAKey string ​

ServerCAKey is the server ca key path.

serverCACert string ​

ServerCACert is the server ca cert path.

clientCACert string ​

ClientCACert is the client ca cert path.

clientCAKey string ​

ClientCAKey is the client ca key path.

requestHeaderCACert string ​

RequestHeaderCACert is the request header ca cert path.

denyProxyRequests object[] ​

DenyProxyRequests denies certain requests in the vCluster proxy.

name string ​

The name of the check.

namespaces string[] ​

Namespace describe a list of namespaces that will be affected by the check. An empty list means that all namespaces will be affected. In case of ClusterScoped rules, only the Namespace resource is affected.

rules object[] ​

Rules describes on which verbs and on what resources/subresources the webhook is enforced. The webhook is enforced if it matches any Rule. The version of the request must match the rule version exactly. Equivalent matching is not supported.

apiGroups string[] ​

APIGroups is the API groups the resources belong to. '*' is all groups.

apiVersions string[] ​

APIVersions is the API versions the resources belong to. '*' is all versions.

resources string[] ​

Resources is a list of resources this rule applies to.

scope string ​

Scope specifies the scope of this rule.

operations string[] ​

Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch. For non-resource requests, this is the lowercase http verb. If '*' is present, the length of the slice must be one.

excludedUsers string[] ​

ExcludedUsers describe a list of users for which the checks will be skipped. Impersonation attempts on these users will still be subjected to the checks.

proxy object ​

Proxy enables vCluster-to-vCluster proxying of resources

customResources {key: object} ​

CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration

enabled boolean ​

Enabled defines if this resource proxy should be enabled

targetVirtualCluster object ​

TargetVirtualCluster is the target virtual cluster for the custom resource proxy

name required string ​

Name is the name of the target virtual cluster.

project string ​

Project is the project of the target virtual cluster. If empty, defaults to the same project as the source vCluster.

accessResources string ​

AccessResources defines which resources should be accessible in the proxy.

docker object ​

Docker allows you to configure Docker related settings when deploying a vCluster using Docker.

image string ​

Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.

ports string[] ​

Ports defines extra port mappings to be added to the container.

volumes string[] ​

Volumes defines extra volumes to be added to the container.

env string[] ​

Env defines extra environment variables to be added to the container. Use key=value.

args string[] ​

Args defines extra arguments to be added to the docker run command of the container.

enabled boolean ​

Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.

network string ​

Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.

nodes object[] ​

Nodes defines the nodes of the vCluster.

image string ​

Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.

ports string[] ​

Ports defines extra port mappings to be added to the container.

volumes string[] ​

Volumes defines extra volumes to be added to the container.

env string[] ​

Env defines extra environment variables to be added to the container. Use key=value.

args string[] ​

Args defines extra arguments to be added to the docker run command of the container.

name string ​

Name defines the name of the node. If not specified, a random name will be generated.

registryProxy object ​

Defines if docker images should be pulled from the host docker daemon. This prevents pulling images again and allows to use purely local images. Only works if containerd image storage is used. For more information, see https://docs.docker.com/engine/storage/containerd

enabled boolean true ​

Enabled defines if this option should be enabled.

loadBalancer object ​

Defines if vCluster should configure load balancer services inside the vCluster. This might require sudo access on the host cluster for docker desktop or rancher desktop on macos.

enabled boolean true ​

Enabled defines if this option should be enabled.

forwardPorts boolean true ​

ForwardPorts defines if the load balancer ips should be made available locally via port forwarding. This will be only done if necessary for example on macos when using docker desktop.

nodeMonitors object[] ​

NodeMonitors allows you to create a service monitor for each node.

name string ​

Name is the name of the monitor. It will be suffixed with the node name.

nodeSelector object ​

NodeSelector defines the node selector for the service monitor.

endpoints object[] ​

Endpoints is a list of endpoints to add to the service monitor. By default, vCluster will relabel the node and instance label to the node name.

path string ​

Path is the kubelet path of the endpoint. vCluster will prepend /api/v1/nodes/NODE_NAME to the path.

params object ​

Params allows you to configure extra parameters to add to the endpoint.

extraRelabelings object[] ​

ExtraRelabelings allows you to configure extra relabelings to add to the endpoint. By default, vCluster will relabel the node and instance label to the node name.

metricsRelabelings object[] ​

MetricsRelabelings allows you to configure extra metrics relabelings to add to the endpoint.

interval string ​

Interval is the interval at which to scrape the endpoint.

scrapeTimeout string ​

ScrapeTimeout is the timeout for the scrape of the endpoint.

spec object ​

Spec allows you to configure extra service monitor options that will be merged into the spec.

annotations object ​

Annotations are extra annotations for this resource.

labels object ​

Labels are extra labels for this resource.

platform object ​

Platform holds vCluster Platform specific configuration.

apiKey object ​

APIKey defines where to find the platform access key and host. By default, vCluster will search in the following locations in this precedence:

  • environment variable called LICENSE
  • secret specified under platform.apiKey.secretName
  • secret called "vcluster-platform-api-key" in the vCluster namespace

secretName string ​

SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined.

namespace string ​

Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace.

createRBAC boolean ​

CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified in the above namespace, if specified. This defaults to true.

project string ​

Project specifies which platform project the vcluster should be imported to

telemetry object ​

Configuration related to telemetry gathered about vCluster usage.

enabled boolean true ​

Enabled specifies that the telemetry for the vCluster control plane should be enabled.

instanceCreator string ​

machineID string ​

platformUserID string ​

platformInstanceID string ​

snapshots object ​

Snapshots holds configuration for automatic vCluster snapshots.

auto object ​

Auto holds automatic snapshot configuration

schedule string ​

Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken

timezone string ​

Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".

retention object ​

Retention specifies how long snapshots will be kept

period integer ​

Period defines the number of days a snapshot will be kept

maxSnapshots integer ​

MaxSnapshots defines the number of snapshots that can be taken

storage object ​

Storage specifies where the snapshot will be stored

type string ​

Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets

s3 object ​

S3 holds configuration for storing snapshots in S3-compatible bucket

url string ​

Url specifies url to the storage service

credential object ​

Credential secret with the S3 Credentials, it should contain AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN

secretName string ​

SecretName is the secret name with credential

secretNamespace string ​

SecretNamespace is the secret namespace with credential

oci object ​

OCI holds configuration for storing snapshots in OCI image registries

repository string ​

Repository OCI repository to store the snapshot

credential object ​

Credential secret with the OCI Credentials

secretName string ​

SecretName is the secret name with credential

secretNamespace string ​

SecretNamespace is the secret namespace with credential

username string ​

Username to authenticate with the OCI registry

password string ​

Password to authenticate with the OCI registry

container object ​

Container holds configuration for storing snapshots as local files inside a vCluster container

path string ​

Path specifies directory to store the snapshot

volume object ​

Volume specifies which volume needs to be mounted into the container to store the snapshot

name string ​

Name to be used to mount the volume

path string ​

Path to the volume mount

azure object ​

Azure holds configuration for storing snapshots in Azure Blob Storage

blobUrl string ​

BlobURL specifies the Azure Blob Storage URL in the format https://{account}.blob.core.windows.net/{container}/{path}

credential object ​

Credential secret with the Azure credentials. The secret should contain either: AZURE_STORAGE_KEY (storage account access key), or AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_SUBSCRIPTION_ID, AZURE_RESOURCE_GROUP (service principal)

secretName string ​

SecretName is the secret name with credential

secretNamespace string ​

SecretNamespace is the secret namespace with credential

volumes object ​

Volumes specifies configuration for volume snapshots

enabled boolean ​

Enabled specifies whether a snapshot should also include volumes in the snapshot

deletion object ​

Deletion holds configuration for automatic vCluster deletion.

prevent boolean ​

Prevent prevents the vCluster from being deleted

auto object ​

Auto holds automatic deletion configuration

afterInactivity string ​

AfterInactivity specifies after how long of inactivity the virtual cluster will be deleted. Uses Go duration format (e.g., "720h" for 30 days).