Skip to main content
Version: v0.27 Stable

Isolated control plane

Deprecated Feature

This feature is deprecated as of v0.27 and is removed in v0.28.

Limited vCluster Tenancy Configuration Support

This feature is only available when using the following worker node types:

  • Host Nodes
    • Enterprise-Only Feature

    This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

    The vCluster control plane runs in one cluster, while a second, headless vCluster instance runs workloads in a separate cluster.

    Key benefits​

    • Optimize resource allocation. Deploy control planes on cost-effective clusters and direct heavy-duty tasks, such as GPU-intensive workloads, to higher-performance clusters.

    • Simplify management. Offer a straightforward, enforceable, alternative to each developer managing increasingly complex amounts of taints, tolerations, or node affinities to schedule workloads to the appropriate clusters.

    • Enhance security with control. Developers can manage workloads via the control plane, even if the workloads reside in a secure zone. This eliminates the need to provide developers with direct cluster access, firewall configurations, and permissions management.

    • Divide responsibilities. Allow for a clear separation of duties, where one team oversees the control plane cluster and other teams handle the workload clusters.


    Deprecated ParameterConfig Field
    --remote-kube-configkubeConfig
    --remote-namespacenamespace
    --remote-service-nameservice

    Configure remote virtual cluster as workload cluster​

    Create a virtual cluster with the following configuration, where the headless field is set to true:

    isolatedControlPlane:
      headless: true

    Create a second virtual cluster with the following configuration, where the enabled field is set to true:

    isolatedControlPlane:
      enabled: true
      kubeConfig: VIRTUAL_CLUSTER_KUBECONFIG
      namespace: VIRTUAL_CLUSTER_NAMESPACE
      service: VIRTUAL_CLUSTER_SERVICE

    Replace the following:

    • VIRTUAL_CLUSTER_KUBECONFIG: the location of the remote virtual cluster's kubeconfig file
      • Store the kubeconfig in a Secret or ConfigMap.
      • Mount the Secret or ConfigMap as a Volume available to the virtual cluster.
      • Configure the Volume as a VolumeMount in the syncer.
    • VIRTUAL_CLUSTER_NAMESPACE: the remote virtual cluster's namespace
    • VIRTUAL_CLUSTER_SERVICE: the remote vCluster Service name

    Config reference​

    isolatedControlPlane required object ​

    IsolatedControlPlane is a feature to run the vCluster control plane in a different Kubernetes cluster than the workloads themselves.

    enabled required boolean ​

    Enabled specifies if the isolated control plane feature should be enabled.

    headless required boolean false ​

    Headless states that Helm should deploy the vCluster in headless mode for the isolated control plane.

    kubeConfig required string ​

    KubeConfig is the path where to find the remote workload cluster kubeconfig.

    namespace required string ​

    Namespace is the namespace where to sync the workloads into.

    service required string ​

    Service is the vCluster service in the remote cluster.