Skip to main content

Isolated mode

vCluster offers a feature called isolated mode to automatically isolate workloads in a virtual cluster. Isolated mode can be enabled via the --isolate flag in vcluster create or through the helm value isolation.enabled: true:

# Creates a new vCluster with isolated workloads
vcluster create my-vcluster --isolate

This feature imposes a couple of restrictions on vCluster workloads to make sure they do not break out of their virtual environment:

  1. vCluster enforces a Pod Security Standard on syncer level, which means that for example pods that try to run as a privileged container or mount a host path will not be synced to the host cluster. Current valid options are either baseline (default in isolated mode) or restricted. This works for every Kubernetes version regardless of Pod Security Standard support, as this is implemented in vCluster directly. Rejected pods will stay pending in the vCluster and in newer Kubernetes version they will be denied by the admission controller as well.
  2. vCluster deploys a resource quota as well as a limit range alongside the vCluster itself. This allows restricting resource consumption of vCluster workloads. If enabled, sane defaults for those 2 resources are chosen.
  3. vCluster deploys a network policy alongside itself that will restrict access of vCluster workloads as well as the vCluster control plane to other pods in the host cluster. (only works if your host cluster CNI supports network policies)

You can adjust isolation settings through helm values. The default values are (also check values.yaml):

enabled: false

podSecurityStandard: baseline

enabled: true
requests.cpu: 10
requests.memory: 20Gi "100Gi"
requests.ephemeral-storage: 60Gi
limits.cpu: 20
limits.memory: 40Gi
limits.ephemeral-storage: 160Gi
services.nodeports: 0
services.loadbalancers: 1
count/endpoints: 40
count/pods: 20
count/services: 20
count/secrets: 100
count/configmaps: 100
count/persistentvolumeclaims: 20

enabled: true
ephemeral-storage: 8Gi
memory: 512Mi
cpu: "1"
ephemeral-storage: 3Gi
memory: 128Mi
cpu: 100m

enabled: true

In case you are using --isolate flag or isolated mode along with the --expose flag, make sure you appropriately bump up the accordingly as some LoadBalancer implementations rely on NodePorts