Control node IP visibility
This feature is only available when using the following worker node types:
When vCluster syncs real nodes from the host cluster, it obfuscates node IP addresses by default. This behavior protects sensitive information in multi-tenant environments while still providing node features.
Node IP obfuscation provides several benefits:
- Security: Prevents exposure of host cluster network topology in multi-tenant environments.
- Privacy: Protects sensitive infrastructure information from virtual cluster users.
- Isolation: Maintains logical separation between virtual and host clusters.
Default behavior​
By default, when you enable real node syncing:
sync:
fromHost:
nodes:
enabled: true
vCluster automatically replaces the actual node IP addresses with obfuscated values. For example, if a host node has IP 192.168.1.100, it appears in the virtual cluster with a generated IP like 10.0.0.1.
Control IP visibility with patches​
This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.
Remove IP information completely​
To remove IP addresses entirely from synced nodes:
sync:
fromHost:
nodes:
enabled: true
patches:
- path: status.addresses
expression: |
[]
Advanced node information control​
You can use patches to control other sensitive node information beyond IP addresses:
Hide system information​
sync:
fromHost:
nodes:
enabled: true
patches:
- path: status.nodeInfo.bootID
expression: '""'
- path: status.nodeInfo.systemUUID
expression: '""'
- path: status.nodeInfo.machineID
expression: '""'
Selective field obfuscation​
sync:
fromHost:
nodes:
enabled: true
patches:
- path: status.nodeInfo.osImage
expression: '"Linux"'
- path: status.nodeInfo.kernelVersion
expression: '"Hidden"'
Use node selectors​
When using node selectors with obfuscated IPs, focus on labels rather than IP-based selection:
sync:
fromHost:
nodes:
enabled: true
selector:
labels:
node-role.kubernetes.io/worker: "true"
environment: "production"
This approach ensures your workloads can still be scheduled appropriately without relying on specific IP addresses.
Troubleshoot node IP issues​
Verify obfuscation​
To check if IP obfuscation is working:
- Compare node information between host and virtual clusters:
kubectl get nodes -o wide
vcluster connect my-vcluster -- kubectl get nodes -o wide
- Inspect node details:
vcluster connect my-vcluster -- kubectl describe node <node-name>
Common issues​
- Networking problems: Some network policies or CNI plugins may require real IP addresses. Test thoroughly when modifying IP obfuscation.
- Monitoring tools: Tools that rely on node IPs may need adjustment when IPs are obfuscated.
- Service discovery: Services that use node IPs directly may require alternative approaches.
Best practices​
- Default to obfuscation: Keep IP obfuscation enabled unless you have specific requirements for real IPs.
- Use labels: Rely on node labels rather than IPs for workload scheduling and management.
- Document changes: Clearly document any modifications to default obfuscation behavior.
- Test thoroughly: Verify that your applications work correctly with obfuscated IPs before production deployment.