Skip to main content
Version: main 🚧

Control node IP visibility

When vCluster syncs real nodes from the host cluster, it obfuscates node IP addresses by default. This behavior protects sensitive information in multi-tenant environments while still providing node features.

Node IP obfuscation provides several benefits:

  • Security: Prevents exposure of host cluster network topology in multi-tenant environments.
  • Privacy: Protects sensitive infrastructure information from virtual cluster users.
  • Isolation: Maintains logical separation between virtual and host clusters.

Default behavior​

By default, when you enable real node syncing:

Enable real node syncing
sync:
  fromHost:
    nodes:
      enabled: true

vCluster automatically replaces the actual node IP addresses with obfuscated values. For example, if a host node has IP 192.168.1.100, it appears in the virtual cluster with a generated IP like 10.0.0.1.

Control IP visibility with patches​

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Remove IP information completely​

To remove IP addresses entirely from synced nodes:

Remove IP addresses
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.addresses
        expression: |
          []

Advanced node information control​

You can use patches to control other sensitive node information beyond IP addresses:

Hide system information​

Hide system information
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.bootID
        expression: '""'
      - path: status.nodeInfo.systemUUID
        expression: '""'
      - path: status.nodeInfo.machineID
        expression: '""'

Selective field obfuscation​

Selective obfuscation
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.osImage
        expression: '"Linux"'
      - path: status.nodeInfo.kernelVersion
        expression: '"Hidden"'

Use node selectors​

When using node selectors with obfuscated IPs, focus on labels rather than IP-based selection:

Node selector with labels
sync:
  fromHost:
    nodes:
      enabled: true
      selector:
        labels:
          node-role.kubernetes.io/worker: "true"
          environment: "production"

This approach ensures your workloads can still be scheduled appropriately without relying on specific IP addresses.

Troubleshoot node IP issues​

Verify obfuscation​

To check if IP obfuscation is working:

  1. Compare node information between host and virtual clusters:
Check host cluster node
kubectl get nodes -o wide
Check virtual cluster node
vcluster connect my-vcluster -- kubectl get nodes -o wide
  1. Inspect node details:
Inspect node details
vcluster connect my-vcluster -- kubectl describe node <node-name>

Common issues​

  • Networking problems: Some network policies or CNI plugins may require real IP addresses. Test thoroughly when modifying IP obfuscation.
  • Monitoring tools: Tools that rely on node IPs may need adjustment when IPs are obfuscated.
  • Service discovery: Services that use node IPs directly may require alternative approaches.

Best practices​

  • Default to obfuscation: Keep IP obfuscation enabled unless you have specific requirements for real IPs.
  • Use labels: Rely on node labels rather than IPs for workload scheduling and management.
  • Document changes: Clearly document any modifications to default obfuscation behavior.
  • Test thoroughly: Verify that your applications work correctly with obfuscated IPs before production deployment.