Skip to main content

Rootless mode & OpenShift

Many Kubernetes cluster operators employ policies to restrict the usage of certain features, for example running pods with the root user. On this page you will see which options allow you to adjust vcluster configuration to successfully deploy it in such restricted host clusters.

Running as non-root user#

If your host cluster policies disallow running containers with root user, or you simply preffer to run them this way, it is possible to configure it for vcluster components. Steps below show how to set the desired UID for syncer and control plane. The syncer also passes this UID down to the vcluster DNS deployment.

Create a values.yaml file with the following lines:

runAsUser: 12345
runAsNonRoot: true

Then create the vcluster with the following command:

vcluster create -f values.yaml
Values of the securityContext fields

You can substitute the runAsUser value as needed, e.g. if the host cluster limits the allowable UID ranges.
And you are free to set other securityContext fields as necessary to fulfill your host cluster policies.


Running as non-root is currently supported only for the k3s distribution. While other distributions provided by vcluster may make use of the securityContext field from the values.yaml file, we do not guarantee that they will work as expected.


vcluster doesn't currently provide a migration path from an instance that was running as root to running with a non-root user.

Running on OpenShift#

By default, OpenShift doesn't allow running containers with the root user, but it assings a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vcluster should run as non-root user by default.

OpenShift also imposes some restrictions that are not common to other Kubernetes distributions.
When deploying vcluster to OpenShift you will need to follow these additional steps:

Create a values.yaml file with the following lines:

enable: true

Then create the vcluster with the following command:

vcluster create -f values.yaml
Additional permission when running on OpenShift

vcluster requires create permission for the endpoints/restricted resource in the default group when running on OpenShift.
This permission is required because OpenShift has additional built-in admission controller for the Endpoint resources, which denies creation of the endpoints pointing into the cluster network or service network CIDR ranges, unless this additional permission is given. Following the steps outline above ensures that the vcluster Role includes this permission, as it is necessary for certain networking features.