Skip to main content

Sync Patches

Sync Patches can patch any Kubernetes resource (e.g. Deployments, Secrets, Service Accounts, etc.) during synchronization and right before they are applied to the Kubernetes API server. It can be used to remove sensitive information before being written to the host cluster or the vCluster. It can also add additional information to a resource, such as labels and annotations on all resources belonging to a tenant, for example.

Hook Syntax

Sync Patches consist of hooks that specify Kubernetes resources to patch. You can specify the resource group, API version, and resource kind and then the verbs for which API calls to patch. The actual patches can be specified using operations like add, remove replace and copyFromObject.

To configure sync patches, you can define hooks in the syncer generic sync configuration of the vCluster config.

version: v1beta1
hooks:
  hostToVirtual: []
  virtualToHost: []

# Generic Sync Configs
export: []
import: []

The apiVersion field expects a "group/version" definition of both the resource group and API version. The kind field specifies which Kubernetes resources to patch. The verbs field defines the API calls to patch before application to the Kubernetes API. The patches reuse the same syntax as the patches utilized in generic sync.

version: v1beta1
hooks:
  hostToVirtual:
    - apiVersion: v1
      kind: Pod

      patches:
        - op: add
          path: metadata.annotations
          value:
            import-annotation: from-host-to-virtual

  virtualToHost: []

# Generic Sync Configs
export: []
import: []

Example - Node Info Remover

The example below removes all .status.images and all .metadata.annotations except the node.alpha.kubernetes.io/ttl annotation, as well as all labels except some kubernetes.io labels.

version: v1beta1
hooks:
  hostToVirtual:
    - apiVersion: v1
      kind: Node

      verbs: ["update", "patch", "create", "get", "list"]

      patches:
        - op: remove
          path: status.images
        - op: replace
          path: metadata.annotations
          value: {}
        - op: replace
          path: metadata.labels
          value: {}
        - op: copyFromObject
          fromPath: metadata.annotations["node.alpha.kubernetes.io/ttl"]
          path: metadata.annotations["node.alpha.kubernetes.io/ttl"]

        # Add arch labels
        - op: copyFromObject
          fromPath: metadata.labels["kubernetes.io/arch"]
          path: metadata.labels["kubernetes.io/arch"]
        - op: copyFromObject
          fromPath: metadata.labels["kubernetes.io/hostname"]
          path: metadata.labels["kubernetes.io/hostname"]
        - op: copyFromObject
          fromPath: metadata.labels["kubernetes.io/os"]
          path: metadata.labels["kubernetes.io/os"]
        - op: copyFromObject
          fromPath: metadata.labels["beta.kubernetes.io/arch"]
          path: metadata.labels["beta.kubernetes.io/arch"]
        - op: copyFromObject
          fromPath: metadata.labels["beta.kubernetes.io/hostname"]
          path: metadata.labels["beta.kubernetes.io/hostname"]
        - op: copyFromObject
          fromPath: metadata.labels["beta.kubernetes.io/os"]
          path: metadata.labels["beta.kubernetes.io/os"]

  virtualToHost: []

Usage in Pro Helm Chart

When installing vCluster.Pro, make sure to set your generic sync configs in the sync.generic.config field as string.

For example by either inlining it during helm install/upgrade

helm upgrade [RELEASE_NAME] loft-sh/vcluster -n [RELEASE_NAMESPACE] \
  --create-namespace --install --set pro=true --set sync.generic.config="..."

Or by specifying it in a dedicated values.yaml

sync:
  generic:
   config: |
     version: v1beta1
     hooks:
       hostToVirtual:
       ...
Last updated on