Skip to main content

Deploy in Rootless mode

Many Kubernetes cluster operators employ policies to restrict the usage of certain features, for example running pods with the root user. On this page you will see which options allow you to adjust vCluster configuration to successfully deploy it in such restricted host clusters.

Running as non-root user​

If your host cluster policies disallow running containers with root user, or you simply prefer to run them this way, it is possible to configure it for vCluster components. Steps below show how to set the desired UID for syncer and control plane. The syncer also passes this UID down to the vCluster DNS deployment.

Create a vcluster.yaml file with the following lines:

controlPlane:
statefulSet:
security:
podSecurityContext:
fsGroup: 12345
containerSecurityContext:
runAsUser: 12345
runAsNonRoot: true

Then create the vCluster with the following command:

vcluster create my-vcluster -f vcluster.yaml
Values of the securityContext fields

You can substitute the runAsUser value as needed, e.g. if the host cluster limits the allowable UID ranges. And you are free to set other securityContext fields as necessary to fulfill your host cluster policies.

caution

vCluster doesn't currently provide a migration path from an instance that was running as root to running with a non-root user.