Network policy

note

This feature is disabled by default.

Workloads created by vCluster are able to communicate with other workloads in the host cluster through their cluster IPs. Configure network policies when you want to isolate namespaces and do not want the pods running inside the virtual cluster to have access to other workloads in the host cluster.

Enable network isolation

Set policies.networkPolicy.enabled to create NetworkPolicies that isolate the virtual cluster:

vcluster.yaml

policies:
  networkPolicy:
    enabled: true

This creates NetworkPolicies in the host namespace that:

• Allow traffic between pods within the virtual cluster
• Block traffic from other namespaces
• Permit DNS and API server communication

Example configurations

Basic isolation

The simplest configuration enables network isolation with default settings:

vcluster.yaml

policies:
  networkPolicy:
    enabled: true

Custom egress rules

Control outbound traffic with specific CIDR blocks:

vcluster.yaml

policies:
  networkPolicy:
    enabled: true
    outgoingConnections:
      ipBlock:
        cidr: 0.0.0.0/0
        except:
          - 169.254.0.0/16  # AWS metadata service
          - 10.0.0.0/8      # Private network ranges
          - 172.16.0.0/12
          - 192.168.0.0/16

Add custom labels

Apply labels to generated NetworkPolicies for easier management:

vcluster.yaml

policies:
  networkPolicy:
    enabled: true
    labels:
      environment: production
      team: platform
    annotations:
      description: "Network isolation for production vCluster"

DNS Port in vCluster

vCluster uses port 1053 for DNS queries, not the standard port 53. When creating custom NetworkPolicies for pods inside vCluster, ensure DNS rules target port 1053:

ports:
  - port: 1053
    protocol: UDP

Project-scoped isolation with Platform

For Platform users needing project-level network boundaries, combine policies.networkPolicy with VirtualClusterTemplates:

project-isolated-template.yaml

apiVersion: management.loft.sh/v1
kind: VirtualClusterTemplate
metadata:
  name: project-isolated
spec:
  template:
    helmRelease:
      chart:
        version: 0.26.0
      values: |
        policies:
          networkPolicy:
            enabled: true
            labels:
              vcluster.io/project: "{{ .Values.loft.project }}"

This automatically:

• Isolates virtual clusters by project
• Allows communication within the same project
• Enforces network boundaries for CI/CD pipelines

Config reference

networkPolicy required object

NetworkPolicy specifies network policy options.

enabled required boolean false

Enabled defines if the network policy should be deployed by vCluster.

fallbackDns required string 8.8.8.8

FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.

outgoingConnections required object

OutgoingConnections are the outgoing connections options for the vCluster workloads.

ipBlock required object

IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

cidr required string 0.0.0.0/0

cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"

except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]

except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range

platform required boolean true

Platform enables egress access towards loft platform

extraControlPlaneRules required object[] []

ExtraControlPlaneRules are extra allowed rules for the vCluster control plane.

extraWorkloadRules required object[] []

ExtraWorkloadRules are extra allowed rules for the vCluster workloads.

annotations required object {}

Annotations are extra annotations for this resource.

labels required object {}

Labels are extra labels for this resource.