vcluster.yaml configuration reference
Create a virtual cluster with a config file
Configure your vCluster installation in a vcluster.yaml
configuration file. Then deploy your changes.
- vCluster CLI
- Helm
- kubectl
- Terraform
- Argo CD
- Cluster API
vcluster create --upgrade VCLUSTER_NAME -n VCLUSTER_NAMESPACE -f vcluster.yaml
Replace:
VCLUSTER_NAME
with your vCluster instance name.VCLUSTER_NAMESPACE
with the namespace where you deployed vCluster.
helm upgrade --install VCLUSTER_NAME vcluster \
--values vcluster.yaml \
--repo https://charts.loft.sh \
--namespace VCLUSTER_NAMESPACE \
--repository-config=''
Replace:
VCLUSTER_NAME
with your vCluster instance name.VCLUSTER_NAMESPACE
with the namespace where you deployed vCluster.
helm template VCLUSTER_NAME vcluster --repo https://charts.loft.sh -n VCLUSTER_NAMESPACE -f vcluster.yaml | kubectl apply -f -
Replace:
VCLUSTER_NAME
with your vCluster instance name.VCLUSTER_NAMESPACE
with the namespace where you deployed vCluster.
Apply vCluster config changes by editing the vcluster.yaml
file and running terraform plan
:
terraform plan
Review the planned changes and apply them if they look appropriate:
terraform apply
Add your vcluster.yaml
config file to the valueFiles
array in your ArgoCD Application
file.
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: VCLUSTER_NAME
namespace: argocd
spec:
project: default
source:
chart: vcluster
repoURL: https://charts.loft.sh
helm:
releaseName: VCLUSTER_NAME
valueFiles:
- vcluster.yaml
destination:
server: https://kubernetes.default.svc
namespace: VCLUSTER_NAMESPACE
Replace:
VCLUSTER_NAME
with your vCluster instance name.VCLUSTER_NAMESPACE
with the namespace where you deployed vCluster.
Apply Cluster API changes by regenerating the cluster custom resource using clusterctl
.
export CLUSTER_NAME=VCLUSTER_NAME
export CLUSTER_NAMESPACE=VCLUSTER_NAMESPACE
export KUBERNETES_VERSION=1.29.3
export HELM_VALUES=$(cat vcluster.yaml)
clusterctl generate cluster ${CLUSTER_NAME} \
--infrastructure vcluster \
--kubernetes-version ${KUBERNETES_VERSION} \
--target-namespace ${CLUSTER_NAMESPACE} | kubectl apply -f -
Replace:
VCLUSTER_NAME
with your vCluster instance name.VCLUSTER_NAMESPACE
with the namespace where you deployed vCluster.
After the changes have been applied, wait for the vCluster custom resource to report a ready status:
kubectl wait --for=condition=ready vcluster -n $CLUSTER_NAMESPACE $CLUSTER_NAME --timeout=300s
Config reference
exportKubeConfig
required object pro
ExportKubeConfig describes how vCluster should export the vCluster kubeConfig file.
exportKubeConfig
required object procontext
required string pro
Context is the name of the context within the generated kubeconfig to use.
context
required string proserver
required string pro
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server
required string prosecret
required object pro
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
If this is not defined, vCluster create it with vc-NAME
. If you specify another name,
vCluster creates the config in this other secret.
secret
required object provc-NAME
. If you specify another name,
vCluster creates the config in this other secret.name
required string pro
Name is the name of the secret where the kubeconfig should get stored.
name
required string pronamespace
required string pro
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace
where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace
required string prosync
required object pro
Sync describes how to sync resources from the virtual cluster to host cluster and back.
sync
required object protoHost
required object pro
Configure resources to sync from the virtual cluster to the host cluster.
toHost
required object propods
required object pro
Pods defines if pods created within the virtual cluster should get synced to the host cluster.
pods
required object proenabled
required boolean pro
Enabled defines if pod syncing should be enabled.
enabled
required boolean protranslateImage
required object pro
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite
a certain image that is used within the virtual cluster to be another image on the host cluster
translateImage
required object proenforceTolerations
required string[] pro
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
enforceTolerations
required string[] prouseSecretsForSATokens
required boolean pro
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a
pod annotation.
useSecretsForSATokens
required boolean prorewriteHosts
required object pro
RewriteHosts is a special option needed to rewrite statefulset containers to allow the correct FQDN. virtual cluster will add
a small container to each stateful set pod that will initially rewrite the /etc/hosts file to match the FQDN expected by
the virtual cluster.
rewriteHosts
required object prosecrets
required object pro
Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.
secrets
required object proconfigMaps
required object pro
ConfigMaps defines if config maps created within the virtual cluster should get synced to the host cluster.
configMaps
required object proingresses
required object pro
Ingresses defines if ingresses created within the virtual cluster should get synced to the host cluster.
ingresses
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean proservices
required object pro
Services defines if services created within the virtual cluster should get synced to the host cluster.
services
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean proendpoints
required object pro
Endpoints defines if endpoints created within the virtual cluster should get synced to the host cluster.
endpoints
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean pronetworkPolicies
required object pro
NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.
networkPolicies
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean propersistentVolumeClaims
required object pro
PersistentVolumeClaims defines if persistent volume claims created within the virtual cluster should get synced to the host cluster.
persistentVolumeClaims
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean propersistentVolumes
required object pro
PersistentVolumes defines if persistent volumes created within the virtual cluster should get synced to the host cluster.
persistentVolumes
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean provolumeSnapshots
required object pro
VolumeSnapshots defines if volume snapshots created within the virtual cluster should get synced to the host cluster.
volumeSnapshots
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean prostorageClasses
required object pro
StorageClasses defines if storage classes created within the virtual cluster should get synced to the host cluster.
storageClasses
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean proserviceAccounts
required object pro
ServiceAccounts defines if service accounts created within the virtual cluster should get synced to the host cluster.
serviceAccounts
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean profromHost
required object pro
Configure what resources vCluster should sync from the host cluster to the virtual cluster.
fromHost
required object pronodes
required object pro
Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.
nodes
required object proenabled
required boolean pro
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
enabled
required boolean prosyncBackChanges
required boolean pro
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
syncBackChanges
required boolean proclearImageStatus
required boolean pro
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
clearImageStatus
required boolean proselector
required object pro
Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.
selector
required object proall
required boolean pro
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
all
required boolean prolabels
required object pro
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
labels
required object proevents
required object pro
Events defines if events should get synced from the host cluster to the virtual cluster, but not back.
events
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean proingressClasses
required object pro
IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.
ingressClasses
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean prostorageClasses
required object pro
StorageClasses defines if storage classes should get synced from the host cluster to the virtual cluster, but not back.
storageClasses
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean procsiNodes
required object pro
CSINodes defines if csi nodes should get synced from the host cluster to the virtual cluster, but not back.
csiNodes
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean pronetworking
required object pro
Networking options related to the virtual cluster.
networking
required object proreplicateServices
required object pro
ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.
replicateServices
required object protoHost
required object[] pro
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are
synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace
are required.
toHost
required object[] profromHost
required object[] pro
FromHost defines the services that should get synced from the host to the virtual cluster.
fromHost
required object[] proresolveDNS
required object[] pro
ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
resolveDNS
required object[] prohostname
required string pro
Hostname is the hostname within the vCluster that should be resolved from.
hostname
required string proservice
required string pro
Service is the virtual cluster service that should be resolved from.
service
required string pronamespace
required string pro
Namespace is the virtual cluster namespace that should be resolved from.
namespace
required string protarget
required object pro
Target is the DNS target that should get mapped to
target
required object prohostname
required string pro
Hostname to use as a DNS target
hostname
required string proip
required string pro
IP to use as a DNS target
ip
required string prohostService
required string pro
HostService to target, format is hostNamespace/hostService
hostService
required string prohostNamespace
required string pro
HostNamespace to target
hostNamespace
required string provClusterService
required string pro
VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService
vClusterService
required string proadvanced
required object pro
Advanced holds advanced network options.
advanced
required object proclusterDomain
required string pro
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
clusterDomain
required string profallbackHostCluster
required boolean pro
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without
any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
fallbackHostCluster
required boolean proproxyKubelets
required object pro
ProxyKubelets allows rewriting certain metrics and stats from the Kubelet to "fake" this for applications such as
prometheus or other node exporters.
proxyKubelets
required object probyHostname
required boolean pro
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work
for all applications, e.g. Prometheus requires a node IP.
byHostname
required boolean probyIP
required boolean pro
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to
route traffic.
byIP
required boolean propolicies
required object pro
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies
required object pronetworkPolicy
required object pro
NetworkPolicy specifies network policy options.
networkPolicy
required object proenabled
required boolean pro
Enabled defines if the network policy should be deployed by vCluster.
enabled
required boolean profallbackDns
required string pro
fallbackDns
required string prooutgoingConnections
required object pro
outgoingConnections
required object proipBlock
required object pro
IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
that should not be included within this rule.
ipBlock
required object procidr
required string pro
cidr is a string representing the IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
cidr
required string proexcept
required string[] pro
except is a slice of CIDRs that should not be included within an IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
Except values will be rejected if they are outside the cidr range
except
required string[] proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object propodSecurityStandard
required string pro
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard
required string proresourceQuota
required object pro
ResourceQuota specifies resource quota options.
resourceQuota
required object proenabled
required boolean pro
Enabled defines if the resource quota should be enabled.
enabled
required boolean proquota
required object pro
Quota are the quota options
quota
required object proscopeSelector
required object pro
ScopeSelector is the resource quota scope selector
scopeSelector
required object proscopes
required string[] pro
Scopes are the resource quota scopes
scopes
required string[] proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object prolimitRange
required object pro
LimitRange specifies limit range options.
limitRange
required object proenabled
required boolean pro
Enabled defines if the limit range should be deployed by vCluster.
enabled
required boolean prodefault
required object pro
Default are the default limits for the limit range
default
required object prodefaultRequest
required object pro
DefaultRequest are the default request options for the limit range
defaultRequest
required object proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object procentralAdmission
required object pro
CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission
required object provalidatingWebhooks
required object[] pro
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
validatingWebhooks
required object[] prokind
required string pro
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind
required string proapiVersion
required string pro
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion
required string prometadata
required object pro
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata
required object proname
required string pro
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name
required string prolabels
required object pro
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels
required object proannotations
required object pro
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations
required object prowebhooks
required object[] pro
Webhooks is a list of webhooks and the affected resources and operations.
webhooks
required object[] proname
required string pro
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name
required string proclientConfig
required object pro
ClientConfig defines how to communicate with the hook.
clientConfig
required object prourl
required string pro
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path
). Exactly one of url
or service
must be specified.
url
required string proscheme://host:port/path
). Exactly one of url
or service
must be specified.service
required object pro
Service is a reference to the service for this webhook. Either
service
or url
must be specified.
If the webhook is running within the cluster, then you should use service
.
service
required object proservice
or url
must be specified.service
.namespace
required string pro
Namespace is the namespace of the service.
namespace
required string proname
required string pro
Name is the name of the service.
name
required string propath
required string pro
Path is an optional URL path which will be sent in any request to
this service.
path
required string proport
required integer pro
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port
should be a valid port number (1-65535, inclusive).
port
required integer proport
should be a valid port number (1-65535, inclusive).caBundle
required string pro
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle
required string prorules
required object[] pro
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules
required object[] profailurePolicy
required string pro
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy
required string promatchPolicy
required string pro
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy
required string pronamespaceSelector
required object pro
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector
required object proobjectSelector
required object pro
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector
required object prosideEffects
required string pro
SideEffects states whether this webhook has side effects.
sideEffects
required string protimeoutSeconds
required integer pro
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds
required integer proadmissionReviewVersions
required string[] pro
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions
required string[] proAdmissionReview
versions the Webhook expects.matchConditions
required object[] pro
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions
required object[] promutatingWebhooks
required object[] pro
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
mutatingWebhooks
required object[] prokind
required string pro
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind
required string proapiVersion
required string pro
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion
required string prometadata
required object pro
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata
required object proname
required string pro
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name
required string prolabels
required object pro
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels
required object proannotations
required object pro
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations
required object prowebhooks
required object[] pro
Webhooks is a list of webhooks and the affected resources and operations.
webhooks
required object[] proreinvocationPolicy
required string pro
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
reinvocationPolicy
required string proname
required string pro
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name
required string proclientConfig
required object pro
ClientConfig defines how to communicate with the hook.
clientConfig
required object prourl
required string pro
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path
). Exactly one of url
or service
must be specified.
url
required string proscheme://host:port/path
). Exactly one of url
or service
must be specified.service
required object pro
Service is a reference to the service for this webhook. Either
service
or url
must be specified.
If the webhook is running within the cluster, then you should use service
.
service
required object proservice
or url
must be specified.service
.namespace
required string pro
Namespace is the namespace of the service.
namespace
required string proname
required string pro
Name is the name of the service.
name
required string propath
required string pro
Path is an optional URL path which will be sent in any request to
this service.
path
required string proport
required integer pro
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port
should be a valid port number (1-65535, inclusive).
port
required integer proport
should be a valid port number (1-65535, inclusive).caBundle
required string pro
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle
required string prorules
required object[] pro
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules
required object[] profailurePolicy
required string pro
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy
required string promatchPolicy
required string pro
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy
required string pronamespaceSelector
required object pro
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector
required object proobjectSelector
required object pro
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector
required object prosideEffects
required string pro
SideEffects states whether this webhook has side effects.
sideEffects
required string protimeoutSeconds
required integer pro
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds
required integer proadmissionReviewVersions
required string[] pro
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions
required string[] proAdmissionReview
versions the Webhook expects.matchConditions
required object[] pro
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions
required object[] proobservability
required object pro
Observability holds options to proxy metrics from the host cluster into the virtual cluster.
observability
required object procontrolPlane
required object pro
Configure vCluster's control plane components and deployment.
controlPlane
required object prodistro
required object pro
Distro holds virtual cluster related distro options. A distro cannot be changed after vCluster is deployed.
distro
required object prok8s
required object pro
K8S holds K8s relevant configuration.
k8s
required object proenabled
required boolean pro
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
enabled
required boolean proapiServer
required object pro
APIServer holds configuration specific to starting the api server.
apiServer
required object proenabled
required boolean pro
Enabled signals this container should be enabled.
enabled
required boolean proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] procontrollerManager
required object pro
ControllerManager holds configuration specific to starting the controller manager.
controllerManager
required object proenabled
required boolean pro
Enabled signals this container should be enabled.
enabled
required boolean proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] proscheduler
required object pro
Scheduler holds configuration specific to starting the scheduler. Enable this via controlPlane.advanced.virtualScheduler.enabled
scheduler
required object proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] proenv
required object[] pro
Env are extra environment variables to use for the main container and NOT the init container.
env
required object[] proresources
required object pro
Resources for the distro init container
resources
required object prosecurityContext
required object pro
Security options can be used for the distro init container
securityContext
required object prok3s
required object pro
K3S holds K3s relevant configuration.
k3s
required object proenabled
required boolean pro
Enabled specifies if the K3s distro should be enabled. Only one distro can be enabled at the same time.
enabled
required boolean protoken
required string pro
Token is the K3s token to use. If empty, vCluster will choose one.
token
required string proenv
required object[] pro
Env are extra environment variables to use for the main container and NOT the init container.
env
required object[] proresources
required object pro
Resources for the distro init container
resources
required object prosecurityContext
required object pro
Security options can be used for the distro init container
securityContext
required object proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] prok0s
required object pro
K0S holds k0s relevant configuration.
k0s
required object proenabled
required boolean pro
Enabled specifies if the k0s distro should be enabled. Only one distro can be enabled at the same time.
enabled
required boolean proconfig
required string pro
Config allows you to override the k0s config passed to the k0s binary.
config
required string proenv
required object[] pro
Env are extra environment variables to use for the main container and NOT the init container.
env
required object[] proresources
required object pro
Resources for the distro init container
resources
required object prosecurityContext
required object pro
Security options can be used for the distro init container
securityContext
required object proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] proeks
required object pro
EKS holds eks relevant configuration.
eks
required object proenabled
required boolean pro
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
enabled
required boolean proapiServer
required object pro
APIServer holds configuration specific to starting the api server.
apiServer
required object proenabled
required boolean pro
Enabled signals this container should be enabled.
enabled
required boolean proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] procontrollerManager
required object pro
ControllerManager holds configuration specific to starting the controller manager.
controllerManager
required object proenabled
required boolean pro
Enabled signals this container should be enabled.
enabled
required boolean proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] proscheduler
required object pro
Scheduler holds configuration specific to starting the scheduler. Enable this via controlPlane.advanced.virtualScheduler.enabled
scheduler
required object proimage
required object pro
Image is the distro image
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy
required string procommand
required string[] pro
Command is the command to start the distro binary. This will override the existing command.
command
required string[] proextraArgs
required string[] pro
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs
required string[] proenv
required object[] pro
Env are extra environment variables to use for the main container and NOT the init container.
env
required object[] proresources
required object pro
Resources for the distro init container
resources
required object prosecurityContext
required object pro
Security options can be used for the distro init container
securityContext
required object probackingStore
required object pro
BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.
backingStore
required object proetcd
required object pro
Etcd defines that etcd should be used as the backend for the virtual cluster
etcd
required object proembedded
required object pro
Embedded defines to use embedded etcd as a storage backend for the virtual cluster
embedded
required object prodeploy
required object pro
Deploy defines to use an external etcd that is deployed by the helm chart
deploy
required object proenabled
required boolean pro
Enabled defines that an external etcd should be deployed.
enabled
required boolean prostatefulSet
required object pro
StatefulSet holds options for the external etcd statefulSet.
statefulSet
required object proenabled
required boolean pro
Enabled defines if the statefulSet should be deployed
enabled
required boolean proimage
required object pro
Image is the image to use for the external etcd statefulSet
image
required object proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy for the external etcd image
imagePullPolicy
required string proenv
required object[] pro
Env are extra environment variables
env
required object[] proextraArgs
required string[] pro
ExtraArgs are appended to the etcd command.
extraArgs
required string[] proresources
required object pro
Resources the etcd can consume
resources
required object propods
required object pro
Pods defines extra metadata for the etcd pods.
pods
required object prohighAvailability
required object pro
HighAvailability are high availability options
highAvailability
required object proreplicas
required integer pro
Replicas are the amount of pods to use.
replicas
required integer proscheduling
required object pro
Scheduling options for the etcd pods.
scheduling
required object pronodeSelector
required object pro
NodeSelector is the node selector to apply to the pod.
nodeSelector
required object proaffinity
required object pro
Affinity is the affinity to apply to the pod.
affinity
required object protolerations
required object[] pro
Tolerations are the tolerations to apply to the pod.
tolerations
required object[] propriorityClassName
required string pro
PriorityClassName is the priority class name for the the pod.
priorityClassName
required string propodManagementPolicy
required string pro
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy
required string protopologySpreadConstraints
required object[] pro
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints
required object[] prosecurity
required object pro
Security options for the etcd pods.
security
required object propersistence
required object pro
Persistence options for the etcd pods.
persistence
required object provolumeClaim
required object pro
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim
required object proenabled
required boolean pro
Enabled enables deploying a persistent volume claim.
enabled
required boolean proaccessModes
required string[] pro
AccessModes are the persistent volume claim access modes.
accessModes
required string[] proretentionPolicy
required string pro
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy
required string prosize
required string pro
Size is the persistent volume claim storage size.
size
required string prostorageClass
required string pro
StorageClass is the persistent volume claim storage class.
storageClass
required string provolumeClaimTemplates
required object[] pro
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates
required object[] proaddVolumes
required object[] pro
AddVolumes defines extra volumes for the pod
addVolumes
required object[] proaddVolumeMounts
required object[] pro
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts
required object[] proname
required string pro
This must match the Name of a Volume.
name
required string proreadOnly
required boolean pro
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly
required boolean promountPath
required string pro
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath
required string prosubPath
required string pro
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath
required string promountPropagation
required string pro
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation
required string prosubPathExpr
required string pro
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr
required string proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object proservice
required object pro
Service holds options for the external etcd service.
service
required object proheadlessService
required object pro
HeadlessService holds options for the external etcd headless service.
headlessService
required object prodatabase
required object pro
Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.
database
required object proembedded
required object pro
Embedded defines that an embedded database (sqlite) should be used as the backend for the virtual cluster
embedded
required object proenabled
required boolean pro
Enabled defines if the database should be used.
enabled
required boolean prodataSource
required string pro
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the embedded database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/k3s
- postgres: postgres://username:password@hostname:5432/k3s
dataSource
required string prokeyFile
required string pro
KeyFile is the key file to use for the database. This is optional.
keyFile
required string procertFile
required string pro
CertFile is the cert file to use for the database. This is optional.
certFile
required string procaFile
required string pro
CaFile is the ca file to use for the database. This is optional.
caFile
required string proexternal
required object pro
External defines that an external database should be used as the backend for the virtual cluster
external
required object proenabled
required boolean pro
Enabled defines if the database should be used.
enabled
required boolean prodataSource
required string pro
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the embedded database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/k3s
- postgres: postgres://username:password@hostname:5432/k3s
dataSource
required string prokeyFile
required string pro
KeyFile is the key file to use for the database. This is optional.
keyFile
required string procertFile
required string pro
CertFile is the cert file to use for the database. This is optional.
certFile
required string procaFile
required string pro
CaFile is the ca file to use for the database. This is optional.
caFile
required string procoredns
required object pro
CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.
coredns
required object proenabled
required boolean pro
Enabled defines if coredns is enabled
enabled
required boolean proembedded
required boolean pro
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
embedded
required boolean proservice
required object pro
Service holds extra options for the coredns service deployed within the virtual cluster
service
required object prodeployment
required object pro
Deployment holds extra options for the coredns deployment deployed within the virtual cluster
deployment
required object proimage
required string pro
Image is the coredns image to use
image
required string proreplicas
required integer pro
Replicas is the amount of coredns pods to run.
replicas
required integer pronodeSelector
required object pro
NodeSelector is the node selector to use for coredns.
nodeSelector
required object proresources
required object pro
Resources are the desired resources for coredns.
resources
required object propods
required object pro
Pods is additional metadata for the coredns pods.
pods
required object proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object prooverwriteConfig
required string pro
OverwriteConfig can be used to overwrite the coredns config
overwriteConfig
required string prooverwriteManifests
required string pro
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
overwriteManifests
required string proproxy
required object pro
Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.
proxy
required object probindAddress
required string pro
BindAddress under which vCluster will expose the proxy.
bindAddress
required string proport
required integer pro
Port under which vCluster will expose the proxy. Changing port is currently not supported.
port
required integer proextraSANs
required string[] pro
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
extraSANs
required string[] prohostPathMapper
required object pro
HostPathMapper defines if vCluster should rewrite host paths.
hostPathMapper
required object proingress
required object pro
Ingress defines options for vCluster ingress deployed by Helm.
ingress
required object proenabled
required boolean pro
Enabled defines if the control plane ingress should be enabled
enabled
required boolean prohost
required string pro
Host is the host where vCluster will be reachable
host
required string propathType
required string pro
PathType is the path type of the ingress
pathType
required string prospec
required object pro
Spec allows you to configure extra ingress options.
spec
required object proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object proservice
required object pro
Service defines options for vCluster service deployed by Helm.
service
required object proenabled
required boolean pro
Enabled defines if the control plane service should be enabled
enabled
required boolean prospec
required object pro
Spec allows you to configure extra service options.
spec
required object prokubeletNodePort
required integer pro
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
kubeletNodePort
required integer prohttpsNodePort
required integer pro
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
httpsNodePort
required integer proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object prostatefulSet
required object pro
StatefulSet defines options for vCluster statefulSet deployed by Helm.
statefulSet
required object prohighAvailability
required object pro
HighAvailability holds options related to high availability.
highAvailability
required object proreplicas
required integer pro
Replicas is the amount of replicas to use for the statefulSet.
replicas
required integer proleaseDuration
required integer pro
LeaseDuration is the time to lease for the leader.
leaseDuration
required integer prorenewDeadline
required integer pro
RenewDeadline is the deadline to renew a lease for the leader.
renewDeadline
required integer proretryPeriod
required integer pro
RetryPeriod is the time until a replica will retry to get a lease.
retryPeriod
required integer proresources
required object pro
Resources are the resource requests and limits for the statefulSet container.
resources
required object proscheduling
required object pro
Scheduling holds options related to scheduling.
scheduling
required object pronodeSelector
required object pro
NodeSelector is the node selector to apply to the pod.
nodeSelector
required object proaffinity
required object pro
Affinity is the affinity to apply to the pod.
affinity
required object protolerations
required object[] pro
Tolerations are the tolerations to apply to the pod.
tolerations
required object[] propriorityClassName
required string pro
PriorityClassName is the priority class name for the the pod.
priorityClassName
required string propodManagementPolicy
required string pro
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy
required string protopologySpreadConstraints
required object[] pro
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints
required object[] prosecurity
required object pro
Security defines pod or container security context.
security
required object proprobes
required object pro
Probes enables or disables the main container probes.
probes
required object prolivenessProbe
required object pro
LivenessProbe specifies if the liveness probe for the container should be enabled
livenessProbe
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean propersistence
required object pro
Persistence defines options around persistence for the statefulSet.
persistence
required object provolumeClaim
required object pro
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim
required object proenabled
required string|boolean pro
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine
based on the chosen distro and other options if this is required.
enabled
required string|boolean proaccessModes
required string[] pro
AccessModes are the persistent volume claim access modes.
accessModes
required string[] proretentionPolicy
required string pro
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy
required string prosize
required string pro
Size is the persistent volume claim storage size.
size
required string prostorageClass
required string pro
StorageClass is the persistent volume claim storage class.
storageClass
required string provolumeClaimTemplates
required object[] pro
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates
required object[] proaddVolumes
required object[] pro
AddVolumes defines extra volumes for the pod
addVolumes
required object[] proaddVolumeMounts
required object[] pro
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts
required object[] proname
required string pro
This must match the Name of a Volume.
name
required string proreadOnly
required boolean pro
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly
required boolean promountPath
required string pro
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath
required string prosubPath
required string pro
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath
required string promountPropagation
required string pro
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation
required string prosubPathExpr
required string pro
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr
required string proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object propods
required object pro
Additional labels or annotations for the statefulSet pods.
pods
required object proimage
required object pro
Image is the image for the controlPlane statefulSet container
image
required object prorepository
required string pro
Configure the registry and repository of the container image, e.g. my-registry.com/my-repo/my-image.
It defaults to the vCluster pro repository that includes the optional pro modules that are turned off by default.
If you still want to use the pure OSS build, use 'ghcr.io/loft-sh/vcluster-oss' instead.
repository
required string protag
required string pro
Tag is the tag of the container image, e.g. latest
tag
required string proimagePullPolicy
required string pro
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy
required string proworkingDir
required string pro
WorkingDir specifies in what folder the main process should get started.
workingDir
required string procommand
required string[] pro
Command allows you to override the main command.
command
required string[] proargs
required string[] pro
Args allows you to override the main arguments.
args
required string[] proenv
required object[] pro
Env are additional environment variables for the statefulSet container.
env
required object[] proserviceMonitor
required object pro
ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.
serviceMonitor
required object proadvanced
required object pro
Advanced holds additional configuration for the vCluster control plane.
advanced
required object prodefaultImageRegistry
required string pro
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to
upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
defaultImageRegistry
required string provirtualScheduler
required object pro
VirtualScheduler defines if a scheduler should be used within the virtual cluster or the scheduling decision for workloads will be made by the host cluster.
virtualScheduler
required object proenabled
required boolean pro
Enabled defines if this option should be enabled.
enabled
required boolean proserviceAccount
required object pro
ServiceAccount specifies options for the vCluster control plane service account.
serviceAccount
required object proenabled
required boolean pro
Enabled specifies if the service account should get deployed.
enabled
required boolean proname
required string pro
Name specifies what name to use for the service account.
name
required string proimagePullSecrets
required object[] pro
ImagePullSecrets defines extra image pull secrets for the service account.
imagePullSecrets
required object[] proname
required string pro
Name of the image pull secret to use.
name
required string proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object proworkloadServiceAccount
required object pro
WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.
workloadServiceAccount
required object proenabled
required boolean pro
Enabled specifies if the service account for the workloads should get deployed.
enabled
required boolean proname
required string pro
Name specifies what name to use for the service account for the virtual cluster workloads.
name
required string proimagePullSecrets
required object[] pro
ImagePullSecrets defines extra image pull secrets for the workload service account.
imagePullSecrets
required object[] proname
required string pro
Name of the image pull secret to use.
name
required string proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object proheadlessService
required object pro
HeadlessService specifies options for the headless service used for the vCluster StatefulSet.
headlessService
required object prorbac
required object pro
RBAC options for the virtual cluster.
rbac
required object prorole
required object pro
Role holds virtual cluster role configuration
role
required object proclusterRole
required object pro
ClusterRole holds virtual cluster cluster role configuration
clusterRole
required object proenabled
required string|boolean pro
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
enabled
required string|boolean proextraRules
required object[] pro
ExtraRules will add rules to the cluster role.
extraRules
required object[] prooverwriteRules
required object[] pro
OverwriteRules will overwrite the cluster role rules completely.
overwriteRules
required object[] proplugins
required <plugin_name>:object pro
Define which vCluster plugins to load.
plugins
required <plugin_name>:object proname
required string pro
Name is the name of the init-container and NOT the plugin name
name
required string proimage
required string pro
Image is the container image that should be used for the plugin
image
required string proimagePullPolicy
required string pro
ImagePullPolicy is the pull policy to use for the container image
imagePullPolicy
required string proconfig
required object pro
Config is the plugin config to use. This can be arbitrary config used for the plugin.
config
required object prorbac
required object pro
RBAC holds additional rbac configuration for the plugin
rbac
required object prorole
required object pro
Role holds extra virtual cluster role permissions for the plugin
role
required object proextraRules
required object[] pro
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules
required object[] proverbs
required string[] pro
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs
required string[] proapiGroups
required string[] pro
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups
required string[] proresources
required string[] pro
Resources is a list of resources this rule applies to. '*' represents all resources.
resources
required string[] proresourceNames
required string[] pro
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames
required string[] prononResourceURLs
required string[] pro
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs
required string[] proclusterRole
required object pro
ClusterRole holds extra virtual cluster cluster role permissions required for the plugin
clusterRole
required object proextraRules
required object[] pro
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules
required object[] proverbs
required string[] pro
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs
required string[] proapiGroups
required string[] pro
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups
required string[] proresources
required string[] pro
Resources is a list of resources this rule applies to. '*' represents all resources.
resources
required string[] proresourceNames
required string[] pro
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames
required string[] prononResourceURLs
required string[] pro
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs
required string[] procommand
required string[] pro
Command is the command that should be used for the init container
command
required string[] proargs
required string[] pro
Args are the arguments that should be used for the init container
args
required string[] prosecurityContext
required object pro
SecurityContext is the container security context used for the init container
securityContext
required object proresources
required object pro
Resources are the container resources used for the init container
resources
required object provolumeMounts
required object[] pro
VolumeMounts are extra volume mounts for the init container
volumeMounts
required object[] proplatform
required object pro
Platform holds options for connecting to vCluster Platform.
platform
required object proapiKey
required object pro
APIKey defines how vCluster can find the api key used for the platform.
apiKey
required object provalue
required string pro
Value specifies the api key as a regular text value.
value
required string prosecretRef
required object pro
SecretRef defines where to find the platform api key. By default vCluster will search in the following locations in this precedence:
- platform.apiKey.value
- environment variable called LICENSE
- secret specified under platform.secret.name
- secret called "vcluster-platform-api-key" in the vCluster namespace
secretRef
required object proname
required string pro
Name is the name of the secret where the platform api key is stored. This defaults to vcluster-platform-api-key if undefined.
name
required string pronamespace
required string pro
Namespace defines the namespace where the api key secret should be retrieved from. If this is not equal to the namespace
where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace.
namespace
required string proname
required string pro
Name is the name of the vCluster instance in the vCluster platform
name
required string proowner
required object pro
Owner is the desired owner of the vCluster instance within the vCluster platform. If empty will take the current user.
owner
required object proproject
required string pro
Project is the project within the platform where the vCluster instance should connect.
project
required string proexperimental
required object pro
Experimental features for vCluster. Configuration here might change, so be careful with this.
experimental
required object prodeploy
required object pro
Deploy allows you to configure manifests and Helm charts to deploy within the virtual cluster.
deploy
required object promanifests
required string pro
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
manifests
required string promanifestsTemplate
required string pro
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
manifestsTemplate
required string prohelm
required object[] pro
Helm are Helm charts that should get deployed into the virtual cluster
helm
required object[] prochart
required object pro
Chart defines what chart should get deployed.
chart
required object prorelease
required object pro
Release defines what release should get deployed.
release
required object provalues
required string pro
Values defines what values should get used.
values
required string protimeout
required string pro
Timeout defines the timeout for Helm
timeout
required string probundle
required string pro
Bundle allows to compress the Helm chart and specify this instead of an online chart
bundle
required string prosyncSettings
required object pro
SyncSettings are advanced settings for the syncer controller.
syncSettings
required object prodisableSync
required boolean pro
DisableSync will not sync any resources and disable most control plane functionality.
disableSync
required boolean prorewriteKubernetesService
required boolean pro
RewriteKubernetesService will rewrite the Kubernetes service to point to the vCluster service if disableSync is enabled
rewriteKubernetesService
required boolean protargetNamespace
required string pro
TargetNamespace is the namespace where the workloads should get synced to.
targetNamespace
required string prosetOwner
required boolean pro
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
setOwner
required boolean prosyncLabels
required string[] pro
SyncLabels are labels that should get not rewritten when syncing from the virtual cluster.
syncLabels
required string[] prohostMetricsBindAddress
required string pro
HostMetricsBindAddress is the bind address for the local manager
hostMetricsBindAddress
required string provirtualMetricsBindAddress
required string pro
VirtualMetricsBindAddress is the bind address for the virtual manager
virtualMetricsBindAddress
required string progenericSync
required object pro
GenericSync holds options to generically sync resources from virtual cluster to host.
genericSync
required object proversion
required string pro
Version is the config version
version
required string proexport
required object[] pro
Exports syncs a resource from the virtual cluster to the host
export
required object[] proapiVersion
required string pro
APIVersion of the object to sync
apiVersion
required string prokind
required string pro
Kind of the object to sync
kind
required string prooptional
required boolean pro
optional
required boolean proreplaceOnConflict
required boolean pro
ReplaceWhenInvalid determines if the controller should try to recreate the object
if there is a problem applying
replaceOnConflict
required boolean propatches
required object[] pro
Patches are the patches to apply on the virtual cluster objects
when syncing them from the host cluster
patches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean proreversePatches
required object[] pro
ReversePatches are the patches to apply to host cluster objects
after it has been synced to the virtual cluster
reversePatches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean proimport
required object[] pro
Imports syncs a resource from the host cluster to virtual cluster
import
required object[] proapiVersion
required string pro
APIVersion of the object to sync
apiVersion
required string prokind
required string pro
Kind of the object to sync
kind
required string prooptional
required boolean pro
optional
required boolean proreplaceOnConflict
required boolean pro
ReplaceWhenInvalid determines if the controller should try to recreate the object
if there is a problem applying
replaceOnConflict
required boolean propatches
required object[] pro
Patches are the patches to apply on the virtual cluster objects
when syncing them from the host cluster
patches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean proreversePatches
required object[] pro
ReversePatches are the patches to apply to host cluster objects
after it has been synced to the virtual cluster
reversePatches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean prohooks
required object pro
Hooks are hooks that can be used to inject custom patches before syncing
hooks
required object prohostToVirtual
required object[] pro
HostToVirtual is a hook that is executed before syncing from the host to the virtual cluster
hostToVirtual
required object[] proapiVersion
required string pro
APIVersion of the object to sync
apiVersion
required string prokind
required string pro
Kind of the object to sync
kind
required string proverbs
required string[] pro
Verbs are the verbs that the hook should mutate
verbs
required string[] propatches
required object[] pro
Patches are the patches to apply on the object to be synced
patches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean provirtualToHost
required object[] pro
VirtualToHost is a hook that is executed before syncing from the virtual to the host cluster
virtualToHost
required object[] proapiVersion
required string pro
APIVersion of the object to sync
apiVersion
required string prokind
required string pro
Kind of the object to sync
kind
required string proverbs
required string[] pro
Verbs are the verbs that the hook should mutate
verbs
required string[] propatches
required object[] pro
Patches are the patches to apply on the object to be synced
patches
required object[] proop
required string pro
Operation is the type of the patch
op
required string profromPath
required string pro
FromPath is the path from the other object
fromPath
required string propath
required string pro
Path is the path of the patch
path
required string pronamePath
required string pro
NamePath is the path to the name of a child resource within Path
namePath
required string pronamespacePath
required string pro
NamespacePath is path to the namespace of a child resource within Path
namespacePath
required string provalue
required object pro
Value is the new value to be set to the path
value
required object proregex
required string pro
Regex - is regular expresion used to identify the Name,
and optionally Namespace, parts of the field value that
will be replaced with the rewritten Name and/or Namespace
regex
required string proconditions
required object[] pro
Conditions are conditions that must be true for
the patch to get executed
conditions
required object[] propath
required string pro
Path is the path within the object to select
path
required string prosubPath
required string pro
SubPath is the path below the selected object to select
subPath
required string proequal
required object pro
Equal is the value the path should be equal to
equal
required object pronotEqual
required object pro
NotEqual is the value the path should not be equal to
notEqual
required object proempty
required boolean pro
Empty means that the path value should be empty or unset
empty
required boolean proignore
required boolean pro
Ignore determines if the path should be ignored if handled as a reverse patch
ignore
required boolean promultiNamespaceMode
required object pro
MultiNamespaceMode tells virtual cluster to sync to multiple namespaces instead of a single one. This will map each virtual cluster namespace to a single namespace in the host cluster.
multiNamespaceMode
required object proisolatedControlPlane
required object pro
IsolatedControlPlane is a feature to run the vCluster control plane in a different Kubernetes cluster than the workloads themselves.
isolatedControlPlane
required object proenabled
required boolean pro
Enabled specifies if the isolated control plane feature should be enabled.
enabled
required boolean proheadless
required boolean pro
Headless states that Helm should deploy the vCluster in headless mode for the isolated control plane.
headless
required boolean prokubeConfig
required string pro
KubeConfig is the path where to find the remote workload cluster kubeconfig.
kubeConfig
required string pronamespace
required string pro
Namespace is the namespace where to sync the workloads into.
namespace
required string proservice
required string pro
Service is the vCluster service in the remote cluster.
service
required string provirtualClusterKubeConfig
required object pro
VirtualClusterKubeConfig allows you to override distro specifics and specify where vCluster will find the required certificates and vCluster config.
virtualClusterKubeConfig
required object prokubeConfig
required string pro
KubeConfig is the virtual cluster kubeconfig path.
kubeConfig
required string proserverCAKey
required string pro
ServerCAKey is the server ca key path.
serverCAKey
required string proserverCACert
required string pro
ServerCAKey is the server ca cert path.
serverCACert
required string proclientCACert
required string pro
ServerCAKey is the client ca cert path.
clientCACert
required string prorequestHeaderCACert
required string pro
RequestHeaderCACert is the request header ca cert path.
requestHeaderCACert
required string prodenyProxyRequests
required object[] pro
DenyProxyRequests denies certain requests in the vCluster proxy.
denyProxyRequests
required object[] proname
required string pro
The name of the check.
name
required string pronamespaces
required string[] pro
Namespace describe a list of namespaces that will be affected by the check.
An empty list means that all namespaces will be affected.
In case of ClusterScoped rules, only the Namespace resource is affected.
namespaces
required string[] prorules
required object[] pro
Rules describes on which verbs and on what resources/subresources the webhook is enforced.
The webhook is enforced if it matches any Rule.
The version of the request must match the rule version exactly. Equivalent matching is not supported.
rules
required object[] proapiGroups
required string[] pro
APIGroups is the API groups the resources belong to. '*' is all groups.
apiGroups
required string[] proapiVersions
required string[] pro
APIVersions is the API versions the resources belong to. '*' is all versions.
apiVersions
required string[] proresources
required string[] pro
Resources is a list of resources this rule applies to.
resources
required string[] proscope
required string pro
Scope specifies the scope of this rule.
scope
required string prooperations
required string[] pro
Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch.
For non-resource requests, this is the lowercase http verb.
If '*' is present, the length of the slice must be one.
operations
required string[] proexcludedUsers
required string[] pro
ExcludedUsers describe a list of users for which the checks will be skipped.
Impersonation attempts on these users will still be subjected to the checks.
excludedUsers
required string[] protelemetry
required object pro
Configuration related to telemetry gathered about vCluster usage.
telemetry
required object pro