Skip to main content

Isolated mode

vCluster offers a feature called isolated mode to automatically isolate workloads in a virtual cluster. Isolated mode can be enabled via the --isolate flag in vcluster create or through the helm value isolation.enabled: true:

# Creates a new vCluster with isolated workloads
vcluster create my-vcluster --isolate

This feature imposes a couple of restrictions on vCluster workloads to make sure they do not break out of their virtual environment:

  1. vCluster enforces a Pod Security Standard on syncer level, which means that for example pods that try to run as a privileged container or mount a host path will not be synced to the host cluster. Current valid options are either baseline (default in isolated mode) or restricted. This works for every Kubernetes version regardless of Pod Security Standard support, as this is implemented in vCluster directly. Rejected pods will stay pending in the vCluster and in newer Kubernetes version they will be denied by the admission controller as well.
  2. vCluster deploys a resource quota as well as a limit range alongside the vCluster itself. This allows restricting resource consumption of vCluster workloads. If enabled, sane defaults for those 2 resources are chosen.
  3. vCluster deploys a network policy alongside itself that will restrict access of vCluster workloads as well as the vCluster control plane to other pods in the host cluster. (only works if your host cluster CNI supports network policies)

You can adjust isolation settings through helm values. The default values are (also check values.yaml):

isolation:
  enabled: false

  podSecurityStandard: baseline

  resourceQuota:
    enabled: true
    quota:
      requests.cpu: 10
      requests.memory: 20Gi
      requests.storage: "100Gi"
      requests.ephemeral-storage: 60Gi
      limits.cpu: 20
      limits.memory: 40Gi
      limits.ephemeral-storage: 160Gi
      services.nodeports: 0
      services.loadbalancers: 1
      count/endpoints: 40
      count/pods: 20
      count/services: 20
      count/secrets: 100
      count/configmaps: 100
      count/persistentvolumeclaims: 20
    scopeSelector:
      matchExpressions:
    scopes:

  limitRange:
    enabled: true
    default:
      ephemeral-storage: 8Gi
      memory: 512Mi
      cpu: "1"
    defaultRequest:
      ephemeral-storage: 3Gi
      memory: 128Mi
      cpu: 100m

  networkPolicy:
    enabled: true
    outgoingConnections:
      ipBlock:
        cidr: 0.0.0.0/0
        except:
          - 100.64.0.0/10
          - 127.0.0.0/8
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
danger

In case you are using --isolate flag or isolated mode along with the --expose flag, make sure you appropriately bump up the isolation.resourceQuotas.quota.services.nodeports accordingly as some LoadBalancer implementations rely on NodePorts