Version: v0.26 Stable

vcluster.yaml configuration

The vcluster.yaml configuration file defines how your virtual cluster operates and integrates with the host cluster. Use the vcluster.yaml file to configure vCluster. It allows you to override default settings by specifying resource sync rules, networking behavior, storage options, and authentication methods.

If you're familiar with Helm, you can use vcluster.yaml in the same way as a values.yaml file. All vCluster deployment methods are based on Helm, which ensures consistent behavior across environments.

The configuration file controls resource synchronization between the host cluster and the virtual cluster, network access methods, storage persistence, authentication settings, and external service integrations. You can apply most configurations during deployment or upgrades, though some settings like the data store must be configured during initial deployment.

To explore configuration options, review the vCluster chart values file for default settings and available parameters. The vCluster Helm chart also includes a JSON schema for validating vcluster.yaml. For more information on configuration structure, see What is vcluster.yaml?.

Create a virtual cluster with a config file

Use vcluster.yaml to create and deploy a fully configured virtual cluster.

warning

Current vCluster versions use vcluster.yaml as the configuration format. vCluster 0.20.0 introduced the vcluster.yaml format, which replaces the older values.yaml file used in versions before 0.20.0. If you're upgrading from vCluster 0.19.x or earlier, use the conversion guide to automatically convert your existing values.yaml file to the new format.

Configure your vCluster installation in an optional vcluster.yaml configuration file:
note
The vcluster.yaml file is optional. You can deploy vCluster with default settings, use command-line flags like --expose and --isolate, or set values using the --set flag, similar to Helm.
Modify the following with your specific values to generate a copyable command:
CPU REQUEST
MEMORY REQUEST
CPU LIMIT
MEMORY LIMIT
INGRESS ENABLED
HOSTNAME
SYNC SERVICES
controlPlane: # Configure control plane resources resources: requests: cpu: 100m memory: 256Mi limits: cpu: 1000m memory: 1Gi # Expose API server (optional) ingress: enabled: true host: my-vcluster.example.com # Configure resource syncing (optional) sync: toHost: services: enabled: true
Then deploy your changes:
- vCluster CLI
- Helm
- Terraform
- Argo CD
- Cluster API
The vCluster CLI provides the most straightforward way to deploy and manage virtual clusters.
Install the vCluster CLI:
Homebrew
Mac (Intel/AMD)
Mac (Silicon/ARM)
Linux (AMD)
Linux (ARM)
Download Binary
Windows Powershell
brew install loft-sh/tap/vcluster-experimental
If you installed the CLI using brew install vcluster, you should brew uninstall vcluster and then install the experimental version. The binaries in the tap are signed using the Sigstore framework for enhanced security.

Confirm that you've installed the correct version of the vCluster CLI.

vcluster --version
Deploy vCluster:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
NAMESPACE
CONFIG FILE
vcluster create my-vcluster --namespace team-x --values vcluster.yaml
note
After installation, vCluster automatically switches your Kubernetes context to the new virtual cluster. You can now run kubectl commands against the virtual cluster.
Helm provides fine-grained control over the deployment process and integrates well with existing Helm-based workflows.
Deploy vCluster using the helm upgrade command:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
CONFIG FILE
NAMESPACE
helm upgrade --install my-vcluster vcluster \ --values vcluster.yaml \ --repo https://charts.loft.sh \ --namespace team-x \ --repository-config='' \ --create-namespace
You can use Terraform to deploy vCluster as code with version control and state management.
Create a main.tf file to define your vCluster deployment using the Terraform Helm provider:
provider "helm" { kubernetes { config_path = "~/.kube/config" } } resource "helm_release" "my_vcluster" { name = "my-vcluster" namespace = "team-x" create_namespace = true repository = "https://charts.loft.sh" chart = "vcluster" # If you didn't create a vcluster.yaml, remove the values section. values = [ file("${path.module}/vcluster.yaml") ] }
Install the required Helm provider and initialize Terraform:
terraform init
Generate a plan to preview the changes:
terraform plan

Review the plan output to verify connectivity and proposed changes.
Deploy vCluster:
terraform apply
ArgoCD deployment enables GitOps workflows for vCluster management, and provides automated deployment, drift detection, and declarative configuration management through Git repositories.
To deploy vCluster using ArgoCD, you need the following files:
- vcluster.yaml for your vCluster configuration options.
- <CLUSTER_NAME>-app.yaml for your ArgoCD Application definition. Replace <CLUSTER_NAME> with your actual cluster name.
Create the ArgoCD Application file <CLUSTER_NAME>-app.yaml, which references the vCluster Helm chart:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
NAMESPACE
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-vcluster namespace: argocd spec: project: default source: chart: vcluster repoURL: https://charts.loft.sh helm: releaseName: my-vcluster valueFiles: - vcluster.yaml destination: server: https://kubernetes.default.svc namespace: team-x
Commit and push these files to your configured ArgoCD repository.
Sync your ArgoCD repository with your configured cluster:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
argocd app sync my-vcluster
Cluster API (CAPI) provides lifecycle management for Kubernetes clusters. The vCluster CAPI provider enables you to manage virtual clusters using the same declarative APIs and tooling used for physical clusters. For more details, see the Cluster API Provider for vCluster documentation.
Install the clusterctl CLI.
Install the vCluster provider:
clusterctl init --infrastructure vcluster:v0.2.0
Export environment variables for the Cluster API provider to create the manifest. The manifest is applied to your Kubernetes cluster, which deploys a vCluster.
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
NAMESPACE
CONFIG FILE
export CLUSTER_NAME=my-vcluster export CLUSTER_NAMESPACE=team-x export VCLUSTER_YAML=$(awk '{printf "%s\n", $0}' vcluster.yaml)
Create the namespace for the vCluster using the exported variable:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAMESPACE
kubectl create namespace team-x
Generate the required manifests and apply them using the exported variables:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
CLUSTER NAMESPACE
clusterctl generate cluster my-vcluster \ --infrastructure vcluster \ --target-namespace team-x \ | kubectl apply -f -
Kubernetes version
The Kubernetes version for the vCluster is not set at the CAPI provider command. Configure it in the vcluster.yaml file based on your Kubernetes distribution.
Wait for vCluster to become ready by monitoring the vCluster custom resource status:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAMESPACE
CLUSTER NAME
kubectl wait --for=condition=ready vcluster -n team-x my-vcluster --timeout=300s

Config reference

`exportKubeConfig` required object

ExportKubeConfig describes how vCluster should export the vCluster kubeConfig file.

`context` required string

Context is the name of the context within the generated kubeconfig to use.

`server` required string

Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.

`insecure` required boolean false

If tls should get skipped for the server

`serviceAccount` required object

ServiceAccount can be used to generate a service account token instead of the default certificates.

`name` required string

Name of the service account to be used to generate a service account token instead of the default certificates.

`namespace` required string

Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.

`clusterRole` required string

ClusterRole to assign to the service account.

`secret` required object

Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig. If this is not defined, vCluster will create it with vc-NAME. If you specify another name, vCluster creates the config in this other secret.

Deprecated: Use AdditionalSecrets instead.

`name` required string

Name is the name of the secret where the kubeconfig should get stored.

`namespace` required string

Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.

`additionalSecrets` required object[]

AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the generated virtual cluster kubeconfigs.

`context` required string

Context is the name of the context within the generated kubeconfig to use.

`server` required string

Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.

`insecure` required boolean

If tls should get skipped for the server

`serviceAccount` required object

ServiceAccount can be used to generate a service account token instead of the default certificates.

`name` required string

Name of the service account to be used to generate a service account token instead of the default certificates.

`namespace` required string

Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.

`clusterRole` required string

ClusterRole to assign to the service account.

`name` required string

Name is the name of the secret where the kubeconfig is stored.

`namespace` required string

Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.

`integrations` required object

Integrations holds config for vCluster integrations with other operators or tools running on the host cluster

`metricsServer` required object

MetricsServer reuses the metrics server from the host cluster within the vCluster.

`enabled` required boolean false

Enabled signals the metrics server integration should be enabled.

`apiService` required object

APIService holds information about where to find the metrics-server service. Defaults to metrics-server/kube-system.

`service` required object

Service is a reference to the service for the API server.

`name` required string

Name is the name of the host service of the apiservice.

`namespace` required string

Namespace is the name of the host service of the apiservice.

`port` required integer

Port is the target port on the host service to connect to.

`nodes` required boolean true

Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.

`pods` required boolean true

Pods defines if metrics-server pods api should get proxied from host to virtual cluster.

`kubeVirt` required object

KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster

`enabled` required boolean false

Enabled signals if the integration should be enabled

`apiService` required object

APIService holds information about where to find the virt-api service. Defaults to virt-api/kubevirt.

`service` required object

Service is a reference to the service for the API server.

`name` required string

Name is the name of the host service of the apiservice.

`namespace` required string

Namespace is the name of the host service of the apiservice.

`port` required integer

Port is the target port on the host service to connect to.

`webhook` required object

Webhook holds configuration for enabling the webhook within the vCluster

`enabled` required boolean true

Enabled defines if this option should be enabled.

`sync` required object

Sync holds configuration on what resources to sync

`dataVolumes` required object

If DataVolumes should get synced

`enabled` required boolean false

Enabled defines if this option should be enabled.

`virtualMachineInstanceMigrations` required object

If VirtualMachineInstanceMigrations should get synced

`enabled` required boolean true

Enabled defines if this option should be enabled.

`virtualMachineInstances` required object

If VirtualMachineInstances should get synced

`enabled` required boolean true

Enabled defines if this option should be enabled.

`virtualMachines` required object

If VirtualMachines should get synced

`enabled` required boolean true

Enabled defines if this option should be enabled.

`virtualMachineClones` required object

If VirtualMachineClones should get synced

`enabled` required boolean true

Enabled defines if this option should be enabled.

`virtualMachinePools` required object

If VirtualMachinePools should get synced

`enabled` required boolean true

Enabled defines if this option should be enabled.

`externalSecrets` required object

ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.

ExternalSecrets will be synced from the virtual cluster to the host cluster.
SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
ClusterSecretStores will be synced from the host cluster to the virtual cluster.

`enabled` required boolean false

Enabled defines whether the external secret integration is enabled or not

`webhook` required object

Webhook defines whether the host webhooks are reused or not

`enabled` required boolean false

Enabled defines if this option should be enabled.

`sync` required object

Sync defines the syncing behavior for the integration

`externalSecrets` required object

ExternalSecrets defines if external secrets should get synced from the virtual cluster to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`stores` required object

Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`clusterStores` required object

ClusterStores defines if cluster secrets stores should get synced from the host cluster to the virtual cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`selector` required object

Selector defines what cluster stores should be synced

`labels` required object {}

Labels defines what labels should be looked for

`certManager` required object

CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.

Certificates and Issuers will be synced from the virtual cluster to the host cluster.
ClusterIssuers will be synced from the host cluster to the virtual cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`sync` required object

Sync contains advanced configuration for syncing cert-manager resources.

`toHost` required object

`certificates` required object

Certificates defines if certificates should get synced from the virtual cluster to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`issuers` required object

Issuers defines if issuers should get synced from the virtual cluster to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`fromHost` required object

`clusterIssuers` required object

ClusterIssuers defines if (and which) cluster issuers should get synced from the host cluster to the virtual cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`selector` required object

Selector defines what cluster issuers should be imported.

`labels` required object {}

Labels defines what labels should be looked for

`istio` required object

Istio syncs DestinationRules, Gateways and VirtualServices from virtual cluster to the host.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`sync` required object

`toHost` required object

`destinationRules` required object

`enabled` required boolean true

Enabled defines if this option should be enabled.

`gateways` required object

`enabled` required boolean true

Enabled defines if this option should be enabled.

`virtualServices` required object

`enabled` required boolean true

Enabled defines if this option should be enabled.

`sync` required object

Sync describes how to sync resources from the virtual cluster to host cluster and back.

`toHost` required object

Configure resources to sync from the virtual cluster to the host cluster.

`pods` required object

Pods defines if pods created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if pod syncing should be enabled.

`translateImage` required object {}

TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster

`enforceTolerations` required string[] []

EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.

`useSecretsForSATokens` required boolean false

UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.

`runtimeClassName` required string

RuntimeClassName is the runtime class to set for synced pods.

`priorityClassName` required string

PriorityClassName is the priority class to set for synced pods.

`rewriteHosts` required object

RewriteHosts is a special option needed to rewrite statefulset containers to allow the correct FQDN. virtual cluster will add a small container to each stateful set pod that will initially rewrite the /etc/hosts file to match the FQDN expected by the virtual cluster.

`enabled` required boolean true

Enabled specifies if rewriting stateful set pods should be enabled.

`initContainer` required object

InitContainer holds extra options for the init container used by vCluster to rewrite the FQDN for stateful set pods.

`image` required string library/alpine:3.20

Image is the image virtual cluster should use to rewrite this FQDN.

`resources` required object

Resources are the resources that should be assigned to the init container for each stateful set init container.

`limits` required object map[cpu:30m memory:64Mi]

Limits are resource limits for the container

`requests` required object map[cpu:30m memory:64Mi]

Requests are minimal resources that will be consumed by the container

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`hybridScheduling` required object

HybridScheduling is used to enable and configure hybrid scheduling for pods in the virtual cluster.

`enabled` required boolean false

Enabled specifies if hybrid scheduling is enabled.

`hostSchedulers` required string[] []

HostSchedulers is a list of schedulers that are deployed on the host cluster.

`secrets` required object

Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`all` required boolean false

All defines if all resources of that type should get synced or only the necessary ones that are needed.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`configMaps` required object

ConfigMaps defines if config maps created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`all` required boolean false

All defines if all resources of that type should get synced or only the necessary ones that are needed.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`ingresses` required object

Ingresses defines if ingresses created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`services` required object

Services defines if services created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`endpoints` required object

Endpoints defines if endpoints created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`networkPolicies` required object

NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`persistentVolumeClaims` required object

PersistentVolumeClaims defines if persistent volume claims created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`persistentVolumes` required object

PersistentVolumes defines if persistent volumes created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`volumeSnapshots` required object

VolumeSnapshots defines if volume snapshots created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`volumeSnapshotContents` required object

VolumeSnapshotContents defines if volume snapshot contents created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`storageClasses` required object

StorageClasses defines if storage classes created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`serviceAccounts` required object

ServiceAccounts defines if service accounts created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`podDisruptionBudgets` required object

PodDisruptionBudgets defines if pod disruption budgets created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`priorityClasses` required object

PriorityClasses defines if priority classes created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`customResources` required {key: object}

CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup. vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.

`enabled` required boolean

Enabled defines if this option should be enabled.

`scope` required string

Scope defines the scope of the resource. If undefined, will use Namespaced. Currently only Namespaced is supported.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`namespaces` required object

Namespaces defines if namespaces created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`mappings` required object

Mappings for Namespace and Object

`byName` required object

ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:

To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"

`mappingsOnly` required boolean false

MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.

`extraLabels` required object

ExtraLabels are additional labels to add to the namespace in the host cluster.

`fromHost` required object

Configure what resources vCluster should sync from the host cluster to the virtual cluster.

`nodes` required object

Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.

`enabled` required boolean false

Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.

`syncBackChanges` required boolean false

SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.

`clearImageStatus` required boolean false

ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.

`selector` required object

Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.

`all` required boolean false

All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.

`labels` required object {}

Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`events` required object

Events defines if events should get synced from the host cluster to the virtual cluster, but not back.

`enabled` required boolean true

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`ingressClasses` required object

IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`selector` required object

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

`matchLabels` required object

`matchExpressions` required object[]

`key` required string

`operator` required string

`values` required string[]

`runtimeClasses` required object

RuntimeClasses defines if runtime classes should get synced from the host cluster to the virtual cluster, but not back.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`selector` required object

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

`matchLabels` required object

`matchExpressions` required object[]

`key` required string

`operator` required string

`values` required string[]

`priorityClasses` required object

PriorityClasses defines if priority classes classes should get synced from the host cluster to the virtual cluster, but not back.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`selector` required object

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

`matchLabels` required object

`matchExpressions` required object[]

`key` required string

`operator` required string

`values` required string[]

`storageClasses` required object

StorageClasses defines if storage classes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

`enabled` required string|boolean auto

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`selector` required object

Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.

`matchLabels` required object

`matchExpressions` required object[]

`key` required string

`operator` required string

`values` required string[]

`csiNodes` required object

CSINodes defines if csi nodes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

`enabled` required string|boolean auto

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`csiDrivers` required object

CSIDrivers defines if csi drivers should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

`enabled` required string|boolean auto

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`csiStorageCapacities` required object

CSIStorageCapacities defines if csi storage capacities should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.

`enabled` required string|boolean auto

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`customResources` required {key: object}

CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.

`enabled` required boolean

Enabled defines if this option should be enabled.

`scope` required string

Scope defines the scope of the resource

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`mappings` required object

Mappings for Namespace and Object

`byName` required object

ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:

To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"

`volumeSnapshotClasses` required object

VolumeSnapshotClasses defines if volume snapshot classes created within the virtual cluster should get synced to the host cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`configMaps` required object

ConfigMaps defines if config maps in the host should get synced to the virtual cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`mappings` required object

Mappings for Namespace and Object

`byName` required object {}

ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:

To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"

`secrets` required object

Secrets defines if secrets in the host should get synced to the virtual cluster.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`patches` required object[]

Patches patch the resource according to the provided specification.

`path` required string

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

`expression` required string

Expression transforms the value according to the given JavaScript expression.

`reverseExpression` required string

ReverseExpression transforms the value according to the given JavaScript expression.

`reference` required object

`apiVersion` required string

APIVersion is the apiVersion of the referenced object.

`apiVersionPath` required string

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

`kind` required string

Kind is the kind of the referenced object.

`kindPath` required string

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

`namePath` required string

NamePath is the optional relative path to the reference name within the object.

`namespacePath` required string

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

`labels` required object

Labels treats the path value as a labels selector.

`mappings` required object

Mappings for Namespace and Object

`byName` required object {}

ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:

To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"

`networking` required object

Networking options related to the virtual cluster.

`serviceCIDR` required string

ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.

`podCIDR` required string 10.244.0.0/16

PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.

`replicateServices` required object

ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.

`toHost` required object[]

ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace are required.

`from` required string

From is the service that should get synced. Can be either in the form name or namespace/name.

`to` required string

To is the target service that it should get synced to. Can be either in the form name or namespace/name.

`fromHost` required object[]

FromHost defines the services that should get synced from the host to the virtual cluster.

`from` required string

From is the service that should get synced. Can be either in the form name or namespace/name.

`to` required string

To is the target service that it should get synced to. Can be either in the form name or namespace/name.

`resolveDNS` required object[]

ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.

`hostname` required string

Hostname is the hostname within the vCluster that should be resolved from.

`service` required string

Service is the virtual cluster service that should be resolved from.

`namespace` required string

Namespace is the virtual cluster namespace that should be resolved from.

`target` required object

Target is the DNS target that should get mapped to

`hostname` required string

Hostname to use as a DNS target

`ip` required string

IP to use as a DNS target

`hostService` required string

HostService to target, format is hostNamespace/hostService

`hostNamespace` required string

HostNamespace to target

`vClusterService` required string

VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService

`advanced` required object

Advanced holds advanced network options.

`clusterDomain` required string cluster.local

ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.

`fallbackHostCluster` required boolean false

FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace

`proxyKubelets` required object

ProxyKubelets allows rewriting certain metrics and stats from the Kubelet to "fake" this for applications such as prometheus or other node exporters.

`byHostname` required boolean true

ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.

`byIP` required boolean true

ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.

`policies` required object

Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.

`networkPolicy` required object

NetworkPolicy specifies network policy options.

`enabled` required boolean false

Enabled defines if the network policy should be deployed by vCluster.

`fallbackDns` required string 8.8.8.8

FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.

`outgoingConnections` required object

OutgoingConnections are the outgoing connections options for the vCluster workloads.

`ipBlock` required object

IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

`cidr` required string 0.0.0.0/0

cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"

`except` required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]

except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range

`platform` required boolean true

Platform enables egress access towards loft platform

`extraControlPlaneRules` required object[] []

ExtraControlPlaneRules are extra allowed rules for the vCluster control plane.

`extraWorkloadRules` required object[] []

ExtraWorkloadRules are extra allowed rules for the vCluster workloads.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`podSecurityStandard` required string

PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged

`resourceQuota` required object

ResourceQuota specifies resource quota options.

`enabled` required string|boolean auto

Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.

`quota` required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0]

Quota are the quota options

`scopeSelector` required object map[matchExpressions:[]]

ScopeSelector is the resource quota scope selector

`scopes` required string[] []

Scopes are the resource quota scopes

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`limitRange` required object

LimitRange specifies limit range options.

`enabled` required string|boolean auto

Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.

`default` required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi]

Default are the default limits for the limit range

`defaultRequest` required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi]

DefaultRequest are the default request options for the limit range

`max` required object {}

Max are the max limits for the limit range

`min` required object {}

Min are the min limits for the limit range

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`centralAdmission` required object

CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.

`validatingWebhooks` required object[]

ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster

`kind` required string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

`apiVersion` required string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

`metadata` required object

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

`name` required string

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

`labels` required object

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

`annotations` required object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

`webhooks` required object[]

Webhooks is a list of webhooks and the affected resources and operations.

`name` required string

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

`clientConfig` required object

ClientConfig defines how to communicate with the hook.

`url` required string

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

`service` required object

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

`namespace` required string

Namespace is the namespace of the service.

`name` required string

Name is the name of the service.

`path` required string

Path is an optional URL path which will be sent in any request to this service.

`port` required integer

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

`caBundle` required string

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

`rules` required object[]

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

`failurePolicy` required string

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

`matchPolicy` required string

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

`namespaceSelector` required object

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

`objectSelector` required object

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.

`sideEffects` required string

SideEffects states whether this webhook has side effects.

`timeoutSeconds` required integer

TimeoutSeconds specifies the timeout for this webhook.

`admissionReviewVersions` required string[]

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

`matchConditions` required object[]

MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

`mutatingWebhooks` required object[]

MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster

`kind` required string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

`apiVersion` required string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

`metadata` required object

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

`name` required string

`labels` required object

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

`annotations` required object

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

`webhooks` required object[]

Webhooks is a list of webhooks and the affected resources and operations.

`reinvocationPolicy` required string

reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".

`name` required string

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

`clientConfig` required object

ClientConfig defines how to communicate with the hook.

`url` required string

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

`service` required object

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

`namespace` required string

Namespace is the namespace of the service.

`name` required string

Name is the name of the service.

`path` required string

Path is an optional URL path which will be sent in any request to this service.

`port` required integer

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

`caBundle` required string

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

`rules` required object[]

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

`failurePolicy` required string

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

`matchPolicy` required string

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

`namespaceSelector` required object

`objectSelector` required object

`sideEffects` required string

SideEffects states whether this webhook has side effects.

`timeoutSeconds` required integer

TimeoutSeconds specifies the timeout for this webhook.

`admissionReviewVersions` required string[]

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

`matchConditions` required object[]

`controlPlane` required object

Configure vCluster's control plane components and deployment.

`endpoint` required string

Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.

`distro` required object

Distro holds virtual cluster related distro options. A distro cannot be changed after vCluster is deployed.

`k8s` required object

K8S holds K8s relevant configuration.

`enabled` required boolean false

Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.

`version` required string

[Deprecated] Version field is deprecated. Use controlPlane.distro.k8s.image.tag to specify the Kubernetes version instead.

`apiServer` required object

APIServer holds configuration specific to starting the api server.

`enabled` required boolean true

Enabled signals this container should be enabled.

`command` required string[] []

Command is the command to start the distro binary. This will override the existing command.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the distro binary.

`controllerManager` required object

ControllerManager holds configuration specific to starting the controller manager.

`enabled` required boolean true

Enabled signals this container should be enabled.

`command` required string[] []

Command is the command to start the distro binary. This will override the existing command.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the distro binary.

`scheduler` required object

Scheduler holds configuration specific to starting the scheduler. Enable this via controlPlane.advanced.virtualScheduler.enabled

`enabled` required boolean false

Enabled signals this container should be enabled.

`command` required string[] []

Command is the command to start the distro binary. This will override the existing command.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the distro binary.

`image` required object

Image is the distro image

`registry` required string ghcr.io

Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.

`repository` required string loft-sh/kubernetes

Repository is the repository of the container image, e.g. my-repo/my-image

`tag` required string v1.32.1

Tag is the tag of the container image, e.g. latest. If set to the default, it will use the host Kubernetes version.

`imagePullPolicy` required string

ImagePullPolicy is the pull policy for the distro image

`env` required object[] []

Env are extra environment variables to use for the main container and NOT the init container.

`resources` required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]]

Resources for the distro init container

`securityContext` required object {}

Security options can be used for the distro init container

`k3s` required object

[Deprecated] K3S holds K3s relevant configuration.

`enabled` required boolean false

Enabled specifies if the K3s distro should be enabled. Only one distro can be enabled at the same time.

`token` required string

Token is the K3s token to use. If empty, vCluster will choose one.

`image` required object

Image is the distro image

`registry` required string

`repository` required string rancher/k3s

Repository is the repository of the container image, e.g. my-repo/my-image

`tag` required string v1.32.1-k3s1

Tag is the tag of the container image, e.g. latest. If set to the default, it will use the host Kubernetes version.

`imagePullPolicy` required string

ImagePullPolicy is the pull policy for the distro image

`env` required object[]

Env are extra environment variables to use for the main container and NOT the init container.

`resources` required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]]

Resources for the distro init container

`securityContext` required object {}

Security options can be used for the distro init container

`command` required string[] []

Command is the command to start the distro binary. This will override the existing command.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the distro binary.

`standalone` required object

Standalone holds configuration for standalone mode. Standalone mode is set automatically when no container is detected and also implies privateNodes.enabled.

`enabled` required boolean

Enabled defines if standalone mode should be enabled.

`dataDir` required string /var/lib/vcluster

DataDir defines the data directory for the standalone mode.

`bundleRepository` required string https://github.com/loft-sh/kubernetes/releases/download

BundleRepository is the repository to use for downloading the Kubernetes bundle. Defaults to https://github.com/loft-sh/kubernetes/releases/download

`bundle` required string

Bundle is a path to a Kubernetes bundle to use for the standalone mode. If empty, will use the bundleRepository to download the bundle.

`joinNode` required object

JoinNode holds configuration for the standalone control plane node.

`enabled` required boolean true

Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.

`name` required string

Name defines the name of the standalone node. If empty the node will get the hostname as name.

`preJoinCommands` required string[]

PreJoinCommands are commands that will be executed before the join process starts.

`postJoinCommands` required string[]

PostJoinCommands are commands that will be executed after the join process starts.

`containerd` required object

Containerd holds configuration for the containerd join process.

`enabled` required boolean true

Enabled defines if containerd should be installed and configured by vCluster.

`registry` required object

Registry holds configuration for how containerd should be configured to use a registries.

`configPath` required string

ConfigPath is the path to the containerd registry config.

`mirrors` required {key: object}

Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

`server` required string

Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

`caCert` required string[]

CACert are paths to CA certificates to use for the containerd registry mirror.

`skipVerify` required boolean

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

`capabilities` required string[]

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

`hosts` required object[]

Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.

`server` required string

Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.

`caCert` required string[]

CACert are paths to CA certificates to use for the containerd registry mirror host.

`skipVerify` required boolean

SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.

`capabilities` required string[]

Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.

`importImages` required string[]

ImportImages is a list of images to import into the containerd registry from local files. If the path is a folder, all files that end with .tar or .tar.gz in the folder will be imported.

`pauseImage` required string

PauseImage is the image for the pause container.

`caCertPath` required string

CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".

`skipPhases` required string[]

SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.

`nodeRegistration` required object

NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.

`criSocket` required string

CRI socket is the socket for the CRI.

`kubeletExtraArgs` required object[]

KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.

`name` required string

Name is the name of the argument.

`value` required string

Value is the value of the argument.

`taints` required object[]

Taints are additional taints to set for the kubelet.

`key` required string

Required. The taint key to be applied to a node.

`value` required string

The taint value corresponding to the taint key.

`effect` required string

Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.

`ignorePreflightErrors` required string[]

IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.

`imagePullPolicy` required string

ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.

`backingStore` required object

BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.

`etcd` required object

Etcd defines that etcd should be used as the backend for the virtual cluster

`embedded` required object

Embedded defines to use embedded etcd as a storage backend for the virtual cluster

`enabled` required boolean false

Enabled defines if the embedded etcd should be used.

`migrateFromDeployedEtcd` required boolean false

MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.

`snapshotCount` required integer

SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the embedded etcd.

`deploy` required object

Deploy defines to use an external etcd that is deployed by the helm chart

`enabled` required boolean false

Enabled defines that an external etcd should be deployed.

`statefulSet` required object

StatefulSet holds options for the external etcd statefulSet.

`enabled` required boolean true

Enabled defines if the statefulSet should be deployed

`enableServiceLinks` required boolean true

EnableServiceLinks for the StatefulSet pod

`image` required object

Image is the image to use for the external etcd statefulSet

`registry` required string registry.k8s.io

`repository` required string etcd

Repository is the repository of the container image, e.g. my-repo/my-image

`tag` required string 3.5.21-0

Tag is the tag of the container image, e.g. latest. If set to the default, it will use the host Kubernetes version.

`imagePullPolicy` required string

ImagePullPolicy is the pull policy for the external etcd image

`env` required object[] []

Env are extra environment variables

`extraArgs` required string[] []

ExtraArgs are appended to the etcd command.

`resources` required object

Resources the etcd can consume

`limits` required object

Limits are resource limits for the container

`requests` required object map[cpu:20m memory:150Mi]

Requests are minimal resources that will be consumed by the container

`pods` required object

Pods defines extra metadata for the etcd pods.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`highAvailability` required object

HighAvailability are high availability options

`replicas` required integer 1

Replicas are the amount of pods to use.

`scheduling` required object

Scheduling options for the etcd pods.

`nodeSelector` required object {}

NodeSelector is the node selector to apply to the pod.

`affinity` required object {}

Affinity is the affinity to apply to the pod.

`tolerations` required object[] []

Tolerations are the tolerations to apply to the pod.

`priorityClassName` required string

PriorityClassName is the priority class name for the the pod.

`podManagementPolicy` required string Parallel

PodManagementPolicy is the statefulSet pod management policy.

`topologySpreadConstraints` required object[] []

TopologySpreadConstraints are the topology spread constraints for the pod.

`security` required object

Security options for the etcd pods.

`podSecurityContext` required object {}

PodSecurityContext specifies security context options on the pod level.

`containerSecurityContext` required object {}

ContainerSecurityContext specifies security context options on the container level.

`persistence` required object

Persistence options for the etcd pods.

`volumeClaim` required object

VolumeClaim can be used to configure the persistent volume claim.

`enabled` required boolean true

Enabled enables deploying a persistent volume claim.

`accessModes` required string[] [ReadWriteOnce]

AccessModes are the persistent volume claim access modes.

`retentionPolicy` required string Retain

RetentionPolicy is the persistent volume claim retention policy.

`size` required string 5Gi

Size is the persistent volume claim storage size.

`storageClass` required string

StorageClass is the persistent volume claim storage class.

`volumeClaimTemplates` required object[] []

VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet

`addVolumes` required object[] []

AddVolumes defines extra volumes for the pod

`addVolumeMounts` required object[]

AddVolumeMounts defines extra volume mounts for the container

`name` required string

This must match the Name of a Volume.

`readOnly` required boolean

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

`mountPath` required string

Path within the container at which the volume should be mounted. Must not contain ':'.

`subPath` required string

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

`mountPropagation` required string

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

`subPathExpr` required string

Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`service` required object

Service holds options for the external etcd service.

`enabled` required boolean true

Enabled defines if the etcd service should be deployed

`annotations` required object {}

Annotations are extra annotations for the external etcd service

`headlessService` required object

HeadlessService holds options for the external etcd headless service.

`annotations` required object {}

Annotations are extra annotations for the external etcd headless service

`external` required object

External defines to use a self-hosted external etcd that is not deployed by the helm chart

`enabled` required boolean false

Enabled defines if the external etcd should be used.

`endpoint` required string

Endpoint holds the endpoint of the external etcd server, e.g. my-example-service:2379

`tls` required object

TLS defines the tls configuration for the external etcd server

`caFile` required string

CaFile is the path to the ca file

`certFile` required string

CertFile is the path to the cert file

`keyFile` required string

KeyFile is the path to the key file

`database` required object

Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.

`embedded` required object

Embedded defines that an embedded database (sqlite) should be used as the backend for the virtual cluster

`enabled` required boolean false

Enabled defines if the database should be used.

`dataSource` required string

DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the embedded database. Examples:

mysql: mysql://username:password@tcp(hostname:3306)/k3s
postgres: postgres://username:password@hostname:5432/k3s

`keyFile` required string

KeyFile is the key file to use for the database. This is optional.

`certFile` required string

CertFile is the cert file to use for the database. This is optional.

`caFile` required string

CaFile is the ca file to use for the database. This is optional.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to Kine.

`external` required object

External defines that an external database should be used as the backend for the virtual cluster

`enabled` required boolean false

Enabled defines if the database should be used.

`dataSource` required string

DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the embedded database. Examples:

mysql: mysql://username:password@tcp(hostname:3306)/k3s
postgres: postgres://username:password@hostname:5432/k3s

`keyFile` required string

KeyFile is the key file to use for the database. This is optional.

`certFile` required string

CertFile is the cert file to use for the database. This is optional.

`caFile` required string

CaFile is the ca file to use for the database. This is optional.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to Kine.

`connector` required string

Connector specifies a secret located in a connected vCluster Platform that contains database server connection information to be used by Platform to create a database and database user for the vCluster. and non-privileged user. A kine endpoint should be created using the database and user on Platform registration. This is optional.

`coredns` required object

CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.

`enabled` required boolean true

Enabled defines if coredns is enabled

`embedded` required boolean false

Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.

`security` required object

Security defines pod or container security context.

`podSecurityContext` required object {}

PodSecurityContext specifies security context options on the pod level.

`containerSecurityContext` required object {}

ContainerSecurityContext specifies security context options on the container level.

`service` required object

Service holds extra options for the coredns service deployed within the virtual cluster

`spec` required object map[type:ClusterIP]

Spec holds extra options for the coredns service

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`deployment` required object

Deployment holds extra options for the coredns deployment deployed within the virtual cluster

`image` required string

Image is the coredns image to use

`replicas` required integer 1

Replicas is the amount of coredns pods to run.

`nodeSelector` required object {}

NodeSelector is the node selector to use for coredns.

`affinity` required object {}

Affinity is the affinity to apply to the pod.

`tolerations` required object[] []

Tolerations are the tolerations to apply to the pod.

`resources` required object

Resources are the desired resources for coredns.

`limits` required object map[cpu:1000m memory:170Mi]

Limits are resource limits for the container

`requests` required object map[cpu:20m memory:64Mi]

Requests are minimal resources that will be consumed by the container

`pods` required object

Pods is additional metadata for the coredns pods.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`topologySpreadConstraints` required object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]]

TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.

`overwriteConfig` required string

OverwriteConfig can be used to overwrite the coredns config

`overwriteManifests` required string

OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns

`priorityClassName` required string

PriorityClassName specifies the priority class name for the CoreDNS pods.

`proxy` required object

Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.

`bindAddress` required string 0.0.0.0

BindAddress under which vCluster will expose the proxy.

`port` required integer 8443

Port under which vCluster will expose the proxy. Changing port is currently not supported.

`extraSANs` required string[] []

ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.

`hostPathMapper` required object

HostPathMapper defines if vCluster should rewrite host paths.

`enabled` required boolean

Enabled specifies if the host path mapper will be used

`central` required boolean

Central specifies if the central host path mapper will be used

`ingress` required object

Ingress defines options for vCluster ingress deployed by Helm.

`enabled` required boolean false

Enabled defines if the control plane ingress should be enabled

`host` required string my-host.com

Host is the host where vCluster will be reachable

`pathType` required string ImplementationSpecific

PathType is the path type of the ingress

`spec` required object map[tls:[]]

Spec allows you to configure extra ingress options.

`annotations` required object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true]

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`service` required object

Service defines options for vCluster service deployed by Helm.

`enabled` required boolean true

Enabled defines if the control plane service should be enabled

`spec` required object map[type:ClusterIP]

Spec allows you to configure extra service options.

`kubeletNodePort` required integer 0

KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.

`httpsNodePort` required integer 0

HTTPSNodePort is the node port where https is exposed. Defaults to 0.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`statefulSet` required object

StatefulSet defines options for vCluster statefulSet deployed by Helm.

`highAvailability` required object

HighAvailability holds options related to high availability.

`replicas` required integer 1

Replicas is the amount of replicas to use for the statefulSet.

`leaseDuration` required integer 60

LeaseDuration is the time to lease for the leader.

`renewDeadline` required integer 40

RenewDeadline is the deadline to renew a lease for the leader.

`retryPeriod` required integer 15

RetryPeriod is the time until a replica will retry to get a lease.

`resources` required object

Resources are the resource requests and limits for the statefulSet container.

`limits` required object map[ephemeral-storage:8Gi memory:2Gi]

Limits are resource limits for the container

`requests` required object map[cpu:200m ephemeral-storage:400Mi memory:256Mi]

Requests are minimal resources that will be consumed by the container

`scheduling` required object

Scheduling holds options related to scheduling.

`nodeSelector` required object {}

NodeSelector is the node selector to apply to the pod.

`affinity` required object {}

Affinity is the affinity to apply to the pod.

`tolerations` required object[] []

Tolerations are the tolerations to apply to the pod.

`priorityClassName` required string

PriorityClassName is the priority class name for the the pod.

`podManagementPolicy` required string Parallel

PodManagementPolicy is the statefulSet pod management policy.

`topologySpreadConstraints` required object[] []

TopologySpreadConstraints are the topology spread constraints for the pod.

`security` required object

Security defines pod or container security context.

`podSecurityContext` required object {}

PodSecurityContext specifies security context options on the pod level.

`containerSecurityContext` required object map[allowPrivilegeEscalation:false runAsGroup:0 runAsUser:0]

ContainerSecurityContext specifies security context options on the container level.

`probes` required object

Probes enables or disables the main container probes.

`livenessProbe` required object

LivenessProbe specifies if the liveness probe for the container should be enabled

`enabled` required boolean true

Enabled defines if this option should be enabled.

`failureThreshold` required integer 60

Number of consecutive failures for the probe to be considered failed

`initialDelaySeconds` required integer 60

Time (in seconds) to wait before starting the liveness probe

`timeoutSeconds` required integer 3

Maximum duration (in seconds) that the probe will wait for a response.

`periodSeconds` required integer 2

Frequency (in seconds) to perform the probe

`readinessProbe` required object

ReadinessProbe specifies if the readiness probe for the container should be enabled

`enabled` required boolean true

Enabled defines if this option should be enabled.

`failureThreshold` required integer 60

Number of consecutive failures for the probe to be considered failed

`timeoutSeconds` required integer 3

Maximum duration (in seconds) that the probe will wait for a response.

`periodSeconds` required integer 2

Frequency (in seconds) to perform the probe

`startupProbe` required object

StartupProbe specifies if the startup probe for the container should be enabled

`enabled` required boolean true

Enabled defines if this option should be enabled.

`failureThreshold` required integer 300

Number of consecutive failures allowed before failing the pod

`timeoutSeconds` required integer 3

Maximum duration (in seconds) that the probe will wait for a response.

`periodSeconds` required integer 6

Frequency (in seconds) to perform the probe

`persistence` required object

Persistence defines options around persistence for the statefulSet.

`volumeClaim` required object

VolumeClaim can be used to configure the persistent volume claim.

`enabled` required string|boolean auto

Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine based on the chosen distro and other options if this is required.

`accessModes` required string[] [ReadWriteOnce]

AccessModes are the persistent volume claim access modes.

`retentionPolicy` required string Retain

RetentionPolicy is the persistent volume claim retention policy.

`size` required string 5Gi

Size is the persistent volume claim storage size.

`storageClass` required string

StorageClass is the persistent volume claim storage class.

`volumeClaimTemplates` required object[] []

VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet

`dataVolume` required object[] []

Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.

`binariesVolume` required object[] [map[emptyDir:map[] name:binaries]]

BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.

`addVolumes` required object[] []

AddVolumes defines extra volumes for the pod

`addVolumeMounts` required object[]

AddVolumeMounts defines extra volume mounts for the container

`name` required string

This must match the Name of a Volume.

`readOnly` required boolean

Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.

`mountPath` required string

Path within the container at which the volume should be mounted. Must not contain ':'.

`subPath` required string

Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).

`mountPropagation` required string

mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.

`subPathExpr` required string

`enableServiceLinks` required boolean true

EnableServiceLinks for the StatefulSet pod

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`pods` required object

Additional labels or annotations for the statefulSet pods.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`image` required object

Image is the image for the controlPlane statefulSet container

`registry` required string ghcr.io

Configure the registry of the container image, e.g. my-registry.com or ghcr.io It defaults to ghcr.io and can be overriding either by using this field or controlPlane.advanced.defaultImageRegistry

`repository` required string loft-sh/vcluster-pro

Configure the repository of the container image, e.g. my-repo/my-image. It defaults to the vCluster pro repository that includes the optional pro modules that are turned off by default. If you still want to use the pure OSS build, use 'loft-sh/vcluster-oss' instead.

`tag` required string

Tag is the tag of the container image, e.g. latest

`imagePullPolicy` required string

ImagePullPolicy is the policy how to pull the image.

`workingDir` required string

WorkingDir specifies in what folder the main process should get started.

`command` required string[] []

Command allows you to override the main command.

`args` required string[] []

Args allows you to override the main arguments.

`env` required object[] []

Env are additional environment variables for the statefulSet container.

`dnsPolicy` required string

Set DNS policy for the pod.

`dnsConfig` required object

Specifies the DNS parameters of a pod.

`nameservers` required string[]

A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed.

`searches` required string[]

A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed.

`options` required object[]

A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy.

`name` required string

Required.

`value` required string

`serviceMonitor` required object

ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.

`enabled` required boolean false

Enabled configures if Helm should create the service monitor.

`labels` required object {}

Labels are the extra labels to add to the service monitor.

`annotations` required object {}

Annotations are the extra annotations to add to the service monitor.

`advanced` required object

Advanced holds additional configuration for the vCluster control plane.

`defaultImageRegistry` required string

DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.

`virtualScheduler` required object

VirtualScheduler defines if a scheduler should be used within the virtual cluster or the scheduling decision for workloads will be made by the host cluster. Deprecated: Use ControlPlane.Distro.K8S.Scheduler instead.

`enabled` required boolean false

Enabled defines if this option should be enabled.

`serviceAccount` required object

ServiceAccount specifies options for the vCluster control plane service account.

`enabled` required boolean true

Enabled specifies if the service account should get deployed.

`name` required string

Name specifies what name to use for the service account.

`imagePullSecrets` required object[]

ImagePullSecrets defines extra image pull secrets for the service account.

`name` required string

Name of the image pull secret to use.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`workloadServiceAccount` required object

WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.

`enabled` required boolean true

Enabled specifies if the service account for the workloads should get deployed.

`name` required string

Name specifies what name to use for the service account for the virtual cluster workloads.

`imagePullSecrets` required object[]

ImagePullSecrets defines extra image pull secrets for the workload service account.

`name` required string

Name of the image pull secret to use.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`headlessService` required object

HeadlessService specifies options for the headless service used for the vCluster StatefulSet.

`annotations` required object {}

Annotations are extra annotations for this resource.

`labels` required object {}

Labels are extra labels for this resource.

`konnectivity` required object

Konnectivity holds dedicated konnectivity configuration. This is only available when privateNodes.enabled is true.

`server` required object

Server holds configuration for the konnectivity server.

`enabled` required boolean true

Enabled defines if the konnectivity server should be enabled.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the konnectivity server.

`agent` required object

Agent holds configuration for the konnectivity agent.

`enabled` required boolean true

Enabled defines if the konnectivity agent should be enabled.

`replicas` required integer 1

Replicas is the number of replicas for the konnectivity agent.

`image` required string

Image is the image for the konnectivity agent.

`imagePullPolicy` required string

ImagePullPolicy is the policy how to pull the image.

`nodeSelector` required object {}

NodeSelector is the node selector for the konnectivity agent.

`priorityClassName` required string

PriorityClassName is the priority class name for the konnectivity agent.

`tolerations` required object[] []

Tolerations is the tolerations for the konnectivity agent.

`extraEnv` required object[] []

ExtraEnv is the extra environment variables for the konnectivity agent.

`extraArgs` required string[] []

ExtraArgs are additional arguments to pass to the konnectivity agent.

`registry` required object

Registry allows enabling an embedded docker image registry in vCluster. This is useful for air-gapped environments or when you don't have a public registry available to distribute images.

`enabled` required boolean false

Enabled defines if the embedded registry should be enabled.

`anonymousPull` required boolean true

AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.

`config` required object {}

Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.

`globalMetadata` required object

GlobalMetadata is metadata that will be added to all resources deployed by Helm.

`annotations` required object {}

Annotations are extra annotations for this resource.

`rbac` required object

RBAC options for the virtual cluster.

`role` required object

Role holds virtual cluster role configuration

`enabled` required boolean true

Enabled defines if the role should be enabled or disabled.

`extraRules` required object[] []

ExtraRules will add rules to the role.

`overwriteRules` required object[] []

OverwriteRules will overwrite the role rules completely.

`clusterRole` required object

ClusterRole holds virtual cluster cluster role configuration

`enabled` required string|boolean auto

Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.

`extraRules` required object[] []

ExtraRules will add rules to the cluster role.

`overwriteRules` required object[] []

OverwriteRules will overwrite the cluster role rules completely.

`sleepMode` required object

SleepMode holds the native sleep mode configuration for Pro clusters

`enabled` required boolean

Enabled toggles the sleep mode functionality, allowing for disabling sleep mode without removing other config

`timeZone` required string

Timezone represents the timezone a sleep schedule should run against, defaulting to UTC if unset

`autoSleep` required object

AutoSleep holds autoSleep details

`afterInactivity` required string

AfterInactivity represents how long a vCluster can be idle before workloads are automaticaly put to sleep

`schedule` required string

Schedule represents a cron schedule for when to sleep workloads

`exclude` required object

Exclude holds configuration for labels that, if present, will prevent a workload from going to sleep

`selector` required object

`labels` required object

Labels defines what labels should be looked for

`autoWakeup` required object

AutoWakeup holds configuration for waking the vCluster on a schedule rather than waiting for some activity.

`schedule` required string

`plugins` required {key: object}

Define which vCluster plugins to load.

`name` required string

Name is the name of the init-container and NOT the plugin name

`image` required string

Image is the container image that should be used for the plugin

`imagePullPolicy` required string

ImagePullPolicy is the pull policy to use for the container image

`config` required object

Config is the plugin config to use. This can be arbitrary config used for the plugin.

`rbac` required object

RBAC holds additional rbac configuration for the plugin

`role` required object

Role holds extra virtual cluster role permissions for the plugin

`extraRules` required object[]

ExtraRules are extra rbac permissions roles that will be added to role or cluster role

`verbs` required string[]

Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.

`apiGroups` required string[]

APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.

`resources` required string[]

Resources is a list of resources this rule applies to. '*' represents all resources.

`resourceNames` required string[]

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

`nonResourceURLs` required string[]

NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.

`clusterRole` required object

ClusterRole holds extra virtual cluster cluster role permissions required for the plugin

`extraRules` required object[]

ExtraRules are extra rbac permissions roles that will be added to role or cluster role

`verbs` required string[]

Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.

`apiGroups` required string[]

`resources` required string[]

Resources is a list of resources this rule applies to. '*' represents all resources.

`resourceNames` required string[]

ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.

`nonResourceURLs` required string[]

`command` required string[]

Command is the command that should be used for the init container

`args` required string[]

Args are the arguments that should be used for the init container

`securityContext` required object

SecurityContext is the container security context used for the init container

`resources` required object

Resources are the container resources used for the init container

`volumeMounts` required object[]

VolumeMounts are extra volume mounts for the init container

`experimental` required object

Experimental features for vCluster. Configuration here might change, so be careful with this.

`deploy` required object

Deploy allows you to configure manifests and Helm charts to deploy within the host or virtual cluster.

`host` required object

Host defines what manifests to deploy into the host cluster

`manifests` required string

Manifests are raw Kubernetes manifests that should get applied within the host cluster.

`manifestsTemplate` required string

ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.

`vcluster` required object

VCluster defines what manifests and charts to deploy into the vCluster

`manifests` required string

Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.

`manifestsTemplate` required string

ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.

`helm` required object[]

Helm are Helm charts that should get deployed into the virtual cluster

`chart` required object

Chart defines what chart should get deployed.

`name` required string

`repo` required string

`insecure` required boolean

`version` required string

`username` required string

`password` required string

`release` required object

Release defines what release should get deployed.

`name` required string

Name of the release

`namespace` required string

Namespace of the release

`values` required string

Values defines what values should get used.

`timeout` required string

Timeout defines the timeout for Helm

`bundle` required string

Bundle allows to compress the Helm chart and specify this instead of an online chart

`syncSettings` required object

SyncSettings are advanced settings for the syncer controller.

`targetNamespace` required string

TargetNamespace is the namespace where the workloads should get synced to.

`setOwner` required boolean true

SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.

`hostMetricsBindAddress` required string

HostMetricsBindAddress is the bind address for the local manager

`virtualMetricsBindAddress` required string

VirtualMetricsBindAddress is the bind address for the virtual manager

`genericSync` required object

GenericSync holds options to generically sync resources from virtual cluster to host.

`version` required string

Version is the config version

`export` required object[]

Exports syncs a resource from the virtual cluster to the host

`apiVersion` required string

APIVersion of the object to sync

`kind` required string

Kind of the object to sync

`optional` required boolean

`replaceOnConflict` required boolean

ReplaceWhenInvalid determines if the controller should try to recreate the object if there is a problem applying

`patches` required object[]

Patches are the patches to apply on the virtual cluster objects when syncing them from the host cluster

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`reversePatches` required object[]

ReversePatches are the patches to apply to host cluster objects after it has been synced to the virtual cluster

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`selector` required object

Selector is a label selector to select the synced objects in the virtual cluster. If empty, all objects will be synced.

`labelSelector` required object

LabelSelector are the labels to select the object from

`import` required object[]

Imports syncs a resource from the host cluster to virtual cluster

`apiVersion` required string

APIVersion of the object to sync

`kind` required string

Kind of the object to sync

`optional` required boolean

`replaceOnConflict` required boolean

ReplaceWhenInvalid determines if the controller should try to recreate the object if there is a problem applying

`patches` required object[]

Patches are the patches to apply on the virtual cluster objects when syncing them from the host cluster

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`reversePatches` required object[]

ReversePatches are the patches to apply to host cluster objects after it has been synced to the virtual cluster

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`hooks` required object

Hooks are hooks that can be used to inject custom patches before syncing

`hostToVirtual` required object[]

HostToVirtual is a hook that is executed before syncing from the host to the virtual cluster

`apiVersion` required string

APIVersion of the object to sync

`kind` required string

Kind of the object to sync

`verbs` required string[]

Verbs are the verbs that the hook should mutate

`patches` required object[]

Patches are the patches to apply on the object to be synced

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`virtualToHost` required object[]

VirtualToHost is a hook that is executed before syncing from the virtual to the host cluster

`apiVersion` required string

APIVersion of the object to sync

`kind` required string

Kind of the object to sync

`verbs` required string[]

Verbs are the verbs that the hook should mutate

`patches` required object[]

Patches are the patches to apply on the object to be synced

`op` required string

Operation is the type of the patch

`fromPath` required string

FromPath is the path from the other object

`path` required string

Path is the path of the patch

`namePath` required string

NamePath is the path to the name of a child resource within Path

`namespacePath` required string

NamespacePath is path to the namespace of a child resource within Path

`value` required object

Value is the new value to be set to the path

`regex` required string

Regex - is regular expresion used to identify the Name, and optionally Namespace, parts of the field value that will be replaced with the rewritten Name and/or Namespace

`conditions` required object[]

Conditions are conditions that must be true for the patch to get executed

`path` required string

Path is the path within the object to select

`subPath` required string

SubPath is the path below the selected object to select

`equal` required object

Equal is the value the path should be equal to

`notEqual` required object

NotEqual is the value the path should not be equal to

`empty` required boolean

Empty means that the path value should be empty or unset

`ignore` required boolean

Ignore determines if the path should be ignored if handled as a reverse patch

`sync` required object

Sync defines if a specialized syncer should be initialized using values from the rewriteName operation as Secret/Configmap names to be synced

`secret` required boolean

`configmap` required boolean

`clusterRole` required object

`extraRules` required object[] []

`role` required object

`extraRules` required object[] []

`isolatedControlPlane` required object

IsolatedControlPlane is a feature to run the vCluster control plane in a different Kubernetes cluster than the workloads themselves.

`enabled` required boolean

Enabled specifies if the isolated control plane feature should be enabled.

`headless` required boolean false

Headless states that Helm should deploy the vCluster in headless mode for the isolated control plane.

`kubeConfig` required string

KubeConfig is the path where to find the remote workload cluster kubeconfig.

`namespace` required string

Namespace is the namespace where to sync the workloads into.

`service` required string

Service is the vCluster service in the remote cluster.

`virtualClusterKubeConfig` required object

VirtualClusterKubeConfig allows you to override distro specifics and specify where vCluster will find the required certificates and vCluster config.

`kubeConfig` required string

KubeConfig is the virtual cluster kubeconfig path.

`serverCAKey` required string

ServerCAKey is the server ca key path.

`serverCACert` required string

ServerCAKey is the server ca cert path.

`clientCACert` required string

ServerCAKey is the client ca cert path.

`requestHeaderCACert` required string

RequestHeaderCACert is the request header ca cert path.

`denyProxyRequests` required object[]

DenyProxyRequests denies certain requests in the vCluster proxy.

`name` required string

The name of the check.

`namespaces` required string[]

Namespace describe a list of namespaces that will be affected by the check. An empty list means that all namespaces will be affected. In case of ClusterScoped rules, only the Namespace resource is affected.

`rules` required object[]

Rules describes on which verbs and on what resources/subresources the webhook is enforced. The webhook is enforced if it matches any Rule. The version of the request must match the rule version exactly. Equivalent matching is not supported.

`apiGroups` required string[]

APIGroups is the API groups the resources belong to. '*' is all groups.

`apiVersions` required string[]

APIVersions is the API versions the resources belong to. '*' is all versions.

`resources` required string[]

Resources is a list of resources this rule applies to.

`scope` required string

Scope specifies the scope of this rule.

`operations` required string[]

Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch. For non-resource requests, this is the lowercase http verb. If '*' is present, the length of the slice must be one.

`excludedUsers` required string[]

ExcludedUsers describe a list of users for which the checks will be skipped. Impersonation attempts on these users will still be subjected to the checks.

`external` required object

External holds configuration for tools that are external to the vCluster.

`platform` required object

platform holds platform configuration

`apiKey` required object

APIKey defines where to find the platform access key and host. By default, vCluster will search in the following locations in this precedence:

environment variable called LICENSE
secret specified under external.platform.apiKey.secretName
secret called "vcluster-platform-api-key" in the vCluster namespace

`secretName` required string

SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined.

`namespace` required string

Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace.

`createRBAC` required boolean

CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified in the above namespace, if specified. This defaults to true.

`autoSleep` required object

AutoSleep holds configuration for automatic sleep and wakeup

`afterInactivity` required integer

AfterInactivity specifies after how many seconds of inactivity the virtual cluster should sleep

`schedule` required string

Schedule specifies scheduled virtual cluster sleep in Cron format, see https://en.wikipedia.org/wiki/Cron. Note: timezone defined in the schedule string will be ignored. Use ".Timezone" field instead.

`timezone` required string

Timezone specifies time zone used for scheduled virtual cluster operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".

`autoWakeup` required object

AutoSleep holds configuration for automatic wakeup

`schedule` required string

Schedule specifies scheduled wakeup from sleep in Cron format, see https://en.wikipedia.org/wiki/Cron. Note: timezone defined in the schedule string will be ignored. The timezone for the autoSleep schedule will be used

`autoDelete` required object

AutoDelete holds configuration for automatic delete

`afterInactivity` required integer

AfterInactivity specifies after how many seconds of inactivity the virtual cluster be deleted

`telemetry` required object

Configuration related to telemetry gathered about vCluster usage.

`enabled` required boolean true

Enabled specifies that the telemetry for the vCluster control plane should be enabled.

`instanceCreator` required string

`machineID` required string

`platformUserID` required string

`platformInstanceID` required string

Create a virtual cluster with a config file
Config reference
exportKubeConfig required object
integrations required object
sync required object
- toHost required object
- fromHost required object
networking required object
policies required object
controlPlane required object
rbac required object
- role required object
- clusterRole required object
sleepMode required object
plugins required {key: object}
experimental required object
external required object
- platform required object
telemetry required object

Create a virtual cluster with a config file​

Config reference​

exportKubeConfig required object ​

context required string ​

server required string ​

insecure required boolean false ​

serviceAccount required object ​

name required string ​

namespace required string ​

clusterRole required string ​

secret required object ​

name required string ​

namespace required string ​

additionalSecrets required object[] ​

context required string ​

server required string ​

insecure required boolean ​

serviceAccount required object ​

name required string ​

namespace required string ​

clusterRole required string ​

name required string ​

namespace required string ​

integrations required object ​

metricsServer required object ​

enabled required boolean false ​

apiService required object ​

service required object ​

name required string ​

namespace required string ​

port required integer ​

nodes required boolean true ​

pods required boolean true ​

kubeVirt required object ​

enabled required boolean false ​

apiService required object ​

service required object ​

name required string ​

namespace required string ​

port required integer ​

webhook required object ​

enabled required boolean true ​

sync required object ​

dataVolumes required object ​

enabled required boolean false ​

virtualMachineInstanceMigrations required object ​

enabled required boolean true ​

virtualMachineInstances required object ​

enabled required boolean true ​

virtualMachines required object ​

enabled required boolean true ​

virtualMachineClones required object ​

enabled required boolean true ​

virtualMachinePools required object ​

enabled required boolean true ​

externalSecrets required object ​

enabled required boolean false ​

webhook required object ​

enabled required boolean false ​

sync required object ​

externalSecrets required object ​

enabled required boolean true ​

stores required object ​

enabled required boolean false ​

clusterStores required object ​

enabled required boolean false ​

selector required object ​

labels required object {} ​

certManager required object ​

enabled required boolean false ​

sync required object ​

toHost required object ​

certificates required object ​

enabled required boolean true ​

issuers required object ​

enabled required boolean true ​

fromHost required object ​

clusterIssuers required object ​

enabled required boolean true ​

selector required object ​

Create a virtual cluster with a config file

Config reference

`exportKubeConfig` required object

`context` required string

`server` required string

`insecure` required boolean false

`serviceAccount` required object

`name` required string

`namespace` required string

`clusterRole` required string

`secret` required object

`name` required string

`namespace` required string

`additionalSecrets` required object[]

`context` required string

`server` required string

`insecure` required boolean

`serviceAccount` required object

`name` required string

`namespace` required string

`clusterRole` required string

`name` required string

`namespace` required string

`integrations` required object

`metricsServer` required object

`enabled` required boolean false

`apiService` required object

`service` required object

`name` required string

`namespace` required string

`port` required integer

`nodes` required boolean true

`pods` required boolean true

`kubeVirt` required object

`enabled` required boolean false

`apiService` required object

`service` required object

`name` required string

`namespace` required string

`port` required integer

`webhook` required object

`enabled` required boolean true

`sync` required object

`dataVolumes` required object

`enabled` required boolean false

`virtualMachineInstanceMigrations` required object

`enabled` required boolean true

`virtualMachineInstances` required object

`enabled` required boolean true

`virtualMachines` required object

`enabled` required boolean true

`virtualMachineClones` required object

`enabled` required boolean true

`virtualMachinePools` required object

`enabled` required boolean true

`externalSecrets` required object

`enabled` required boolean false

`webhook` required object

`enabled` required boolean false

`sync` required object

`externalSecrets` required object

`enabled` required boolean true

`stores` required object

`enabled` required boolean false

`clusterStores` required object

`enabled` required boolean false

`selector` required object

`labels` required object {}

`certManager` required object

`enabled` required boolean false

`sync` required object

`toHost` required object

`certificates` required object

`enabled` required boolean true

`issuers` required object

`enabled` required boolean true

`fromHost` required object

`clusterIssuers` required object

`enabled` required boolean true

`selector` required object