Skip to main content
Version: v0.27 Stable

Isolated control plane

Limited vCluster Tenancy Configuration Support

This feature is only available when using the following worker node types:

  • Host Nodes
    • Enterprise-Only Feature

    This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

    The vCluster control plane runs in one cluster, while a second, headless vCluster instance runs workloads in a separate cluster.

    Key benefits​

    • Optimize resource allocation. Deploy control planes on cost-effective clusters and direct heavy-duty tasks, such as GPU-intensive workloads, to higher-performance clusters.

    • Simplify management. Offer a straightforward, enforceable, alternative to each developer managing increasingly complex amounts of taints, tolerations, or node affinities to schedule workloads to the appropriate clusters.

    • Enhance security with control. Developers can manage workloads via the control plane, even if the workloads reside in a secure zone. This eliminates the need to provide developers with direct cluster access, firewall configurations, and permissions management.

    • Divide responsibilities. Allow for a clear separation of duties, where one team oversees the control plane cluster and other teams handle the workload clusters.


    Deprecated ParameterConfig Field
    --remote-kube-configkubeConfig
    --remote-namespacenamespace
    --remote-service-nameservice

    Configure remote virtual cluster as workload cluster​

    Create a virtual cluster with the following configuration, where the headless field is set to true:

    isolatedControlPlane:
      headless: true

    Create a second virtual cluster with the following configuration, where the enabled field is set to true:

    isolatedControlPlane:
      enabled: true
      kubeConfig: VIRTUAL_CLUSTER_KUBECONFIG
      namespace: VIRTUAL_CLUSTER_NAMESPACE
      service: VIRTUAL_CLUSTER_SERVICE

    Replace the following:

    • VIRTUAL_CLUSTER_KUBECONFIG: the location of the remote virtual cluster's kubeconfig file
      • Store the kubeconfig in a Secret or ConfigMap.
      • Mount the Secret or ConfigMap as a Volume available to the virtual cluster.
      • Configure the Volume as a VolumeMount in the syncer.
    • VIRTUAL_CLUSTER_NAMESPACE: the remote virtual cluster's namespace
    • VIRTUAL_CLUSTER_SERVICE: the remote vCluster Service name

    Config reference​

    isolatedControlPlane required object ​

    IsolatedControlPlane is a feature to run the vCluster control plane in a different Kubernetes cluster than the workloads themselves.

    enabled required boolean ​

    Enabled specifies if the isolated control plane feature should be enabled.

    headless required boolean false ​

    Headless states that Helm should deploy the vCluster in headless mode for the isolated control plane.

    kubeConfig required string ​

    KubeConfig is the path where to find the remote workload cluster kubeconfig.

    namespace required string ​

    Namespace is the namespace where to sync the workloads into.

    service required string ​

    Service is the vCluster service in the remote cluster.