Ingress classes
By default, this is disabled.
IngressClass syncing allows virtual clusters to use ingress controllers from the host cluster. Typically, each virtual cluster needs its own ingress controller to handle incoming traffic. With IngressClass syncing enabled, virtual clusters can reference IngressClass resources from the host cluster instead.
You can enable this feature to sync IngressClass resources from the host cluster to the virtual cluster. Add labels to IngressClass resources in your host cluster and configure vCluster to sync only those that match specific label selectors. When you create an Ingress resource in the virtual cluster that references a synced IngressClass, the host cluster's ingress controller handles the traffic routing.
This saves resources since you don't need separate ingress controllers in every virtual cluster. It also gives you centralized control over which ingress capabilities teams can access.
This approach is useful in scenarios where selective access to ingress configurations is required. Common use cases include:
- Development environments: Sync only the IngressClass resources required for development clusters to reduce noise and avoid unnecessary exposure.
- Multi-tenancy: Enable teams to use their own IngressClass resources while sharing a single host cluster.
- Security: Restrict the IngressClass resources available in the virtual cluster to enforce access control and prevent unintended configurations.
Enable syncing​
When enabled, vCluster takes control of all IngressClass resources in the virtual cluster. It only allows IngressClass resources that are synced from the host cluster to exist.
This example configuration enables syncing all IngressClass resources from the host cluster to the virtual cluster:
sync:
fromHost:
ingressClasses:
enabled: true
If you try to create the IngressClass resource directly in the virtual cluster, using for example kubectl create or kubectl apply, vCluster detects it and deletes it immediately. This prevents conflicts between locally-created IngressClass resources and those synced from the host cluster, ensuring that only IngressClass resources from the host cluster exist in the virtual cluster.
When enabled, IngressClass resource creation can only occur in the host cluster. Any IngressClass resources created in the virtual cluster will be deleted.
How syncing works​
When IngressClass syncing is enabled, vCluster can use a label selector to control which IngressClass and Ingress resources are synchronized between the host and virtual clusters. This affects the resource types with separate unidirectional sync flows:
-
IngressClass resources (host → virtual): vCluster syncs IngressClass resources from the host cluster to the virtual cluster. You cannot create IngressClass resources directly in the virtual cluster. If a selector is defined, only IngressClass resources matching the selector will sync. If no selector is defined, all IngressClass resources are synced.
-
Ingress resources (virtual → host): vCluster syncs Ingress resources from the virtual cluster to the host cluster only if any of the following is true:
- No selector is defined for IngressClass syncing, which allows all Ingress resources to sync regardless of the
IngressClassName. - The Ingress's
IngressClassNamereferences a IngressClass resource that matches the selector and is synced from the host cluster. - The Ingress has an empty
IngressClassNamefield.
- No selector is defined for IngressClass syncing, which allows all Ingress resources to sync regardless of the
The same selector controls both sync flows. The selector determines which IngressClass resources are imported from the host cluster and which Ingress resources can sync to the host cluster based on the referenced IngressClass resource.
Use selectors to filter​
Selectors provide precise control over which IngressClass resources get synced from the host cluster and which Ingress resources gets synced to the host cluster. vCluster supports two types of selector criteria that follow standard Kubernetes label selector syntax.
Filter with matchLabels​
The matchLabels selector defines exact label key-value pairs that must be present on an IngressClass for it to be synced. This provides straightforward filtering based on specific labels.
The following example syncs only IngressClass resources with a environment: development label:
sync:
toHost:
ingresses:
enabled: true
fromHost:
ingressClasses:
enabled: true
selector:
matchLabels:
environment: development
Filter with matchExpressions​
The matchExpressions selector allows more flexible, set-based filtering with support for multiple operators:
In: Select all resources that has a specific key and the value is in the set of valuesNotIn: Select all resources that has a specific key and the value is not in the set of valuesExists: Select all resources including a label with the key; no values are checkedDoesNotExist: Select all resources without a label with the key; no values are checked
The following example syncs IngressClass resources where the key of the label is kubernetes.io/ingress.class and the value of that label is either nginx or traefik:
sync:
toHost:
ingresses:
enabled: true
fromHost:
ingressClasses:
enabled: true
selector:
matchExpressions:
- key: kubernetes.io/ingress.class
operator: In
values:
- nginx
- traefik
Combined filter criteria​
Label conditions are additive meaning all specified label conditions must match for the IngressClass resource to be selected to be synced. This means that if you define multiple matchLabels and matchExpressions, the IngressClass resource must satisfy all criteria to be synced to the virtual cluster.
The following example syncs IngressClass resources that match both label and expression criteria:
sync:
toHost:
ingresses:
enabled: true
fromHost:
ingressClasses:
enabled: true
selector:
matchLabels:
environment: development
matchExpressions:
- key: kubernetes.io/ingress.class
operator: In
values:
- nginx
- traefik
In this example, the IngressClass must have the following labels to sync to the virtual cluster:
environment: development- Either
kubernetes.io/ingress.class:nginxorkubernetes.io/ingress.class:traefik
Sync behavior considerations​
Resource lifecycle​
Synced IngressClass resources function like any other Kubernetes resource in the virtual cluster. You
can view them with kubectl get ingressclass and reference them in your Ingress resource
specifications with the IngressClassName field.
When you modify the IngressClass resource in the host cluster, vCluster re-evaluates whether it still matches the selector criteria. If the IngressClass continues to match, vCluster updates the corresponding resource in the virtual cluster to reflect the changes. If the IngressClass no longer matches the selector criteria, vCluster removes it from the virtual cluster.
The selector system acts as both a resource filter and a validation mechanism. As a resource filter, it ensures that vCluster creates only IngressClass resources matching the defined selector criteria. The selector also functions as a creation validation mechanism - when you create Ingress resources in the virtual cluster, the resources can only reference IngressClass resources that exist in the virtual cluster.
Orphaned resources​
When vCluster removes a synced IngressClass from the virtual cluster due to selector changes or deletion from the host cluster, any Ingress resources that reference it remain in the virtual and host clusters. These orphaned Ingress resources stop receiving updates but vCluster does not automatically delete them to prevent unintended data loss. To remove these orphaned resources, you must delete them manually in the virtual and host clusters. This manual approach ensures that you maintain full control over resource cleanup and can verify that deletions are intentional.
Error handling and troubleshooting​
When the IngressClass resource doesn't match the selector criteria during evaluation, vCluster logs a warning in the syncer pod's output to help with troubleshooting and monitoring. This logging provides visibility into which resources are being filtered out and why.
When you creates the Ingress resource that references a IngressClass not matching the selector criteria, several things occur to provide clear feedback:
- The Ingress fails to sync to the host cluster
- vCluster records an event on the Ingress resource in the virtual cluster
- The event indicates that the specified IngressClass is not available according to the current selector configuration
The error output appears as a Kubernetes event that you can view using kubectl describe. The event message clearly states that the Ingress resource was not synced because the referenced IngressClass does not match the defined selector criteria.
The error output looks like this:
vcluster-virtual-cluster-1:~$ kubectl describe ingress my-ingress
Name: my-ingress
Namespace: default
IngressClass: traefik
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning SyncWarning 10s ingress-syncer did not sync ingress "my-ingress" to host because it does not match the selector under 'sync.fromHost.ingressClasses.selector'
Config reference​
ingressClasses required object pro​
IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.
ingressClasses required object pro​enabled required boolean false pro​
Enabled defines if this option should be enabled.
enabled required boolean false pro​patches required object[] pro​
Patches patch the resource according to the provided specification.
patches required object[] pro​path required string pro​
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string pro​expression required string pro​
Expression transforms the value according to the given JavaScript expression.
expression required string pro​reverseExpression required string pro​
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string pro​reference required object pro​
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object pro​apiVersion required string pro​
APIVersion is the apiVersion of the referenced object.
apiVersion required string pro​apiVersionPath required string pro​
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string pro​kind required string pro​
Kind is the kind of the referenced object.
kind required string pro​kindPath required string pro​
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string pro​namePath required string pro​
NamePath is the optional relative path to the reference name within the object.
namePath required string pro​namespacePath required string pro​
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string pro​labels required object pro​
Labels treats the path value as a labels selector.
labels required object pro​selector required object pro​
Selector defines the selector to use for the resource. If not set, all resources of that type will be synced.
selector required object pro​