Skip to main content
Version: v0.34 Stable

Isolation

The vCluster project provides several configuration options pertaining to tenant cluster isolation and security. This section briefly covers the primary configuration options. For detailed information, see the security overview and policies configuration.

vCluster can isolate workloads by combining a Pod Security Standard, ResourceQuota, LimitRange, and NetworkPolicy. These settings are configured explicitly in vcluster.yaml.

Enable these settings in your tenant cluster or tenant cluster template values:

policies:
  podSecurityStandard: "baseline"
  limitRange:
    enabled: true
  resourceQuota:
    enabled: true
  networkPolicy:
    enabled: true

All vCluster isolation settings can be customized through the policy configuration pages.

CNIs and Network Policies

Not all CNIs will support all network policies. Make sure you understand what capabilities your CNI supports when investigating tenant cluster isolation.