Skip to main content

Monitoring vCluster

vCluster is able to rewrite node stats and metrics. This means monitoring a vCluster works similar to monitoring a regular Kubernetes cluster.


You need to make sure that vCluster has access to the host clusters nodes. Enabling real nodes synchronization will create the required RBAC permissions.


If Isolated mode is enabled and you wish to scrape kubelet targets via '/metrics' and '/metrics/cadvisor', you need to set isolation.nodeProxyPermission.enabled: true. This will create the RBAC rules for the required 'nodes/proxy' resource.

Please follow the official Kubernetes documentation on how to monitor a Kubernetes cluster.

How does it work?

By default, vCluster will create a service for each node which redirects incoming traffic from within the vCluster to the node kubelet to vCluster itself. This means that if workloads within the vCluster try to scrape node metrics the traffic reaches vCluster first. Vcluster will redirect the incoming request to the host cluster and rewrite the response (pod names, pod namespaces etc) and return it to the requester.

Monitoring the vCluster StatefulSet

vcluster exposes metrics endpoints on (syncer metrics) and (k3s metrics). In order to scrape those metrics, you will need to send an Authorization header with a valid virtual cluster service account token, that has permissions to access the /metrics endpoint within the vcluster.