Version: v0.27 Stable

Limited vCluster Tenancy Configuration Support

This feature is only available when using the following worker node types:

Host Nodes

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Integrating GCP Workload Identity with vCluster

This tutorial guides you through the process of integrating GCP Service Accounts with your vCluster using Workload Identity.

Setting up Workload Identity requires you to link a GCP Service Account with the Kubernetes Service Account (KSA) used by your workloads. This KSA needs to be available in the host cluster in which your vCluster instance runs.

To achieve this setup, we'll need to use the sync.toHost feature in order to expose the KSA in the host cluster together with the vCluster Platform API to retrieve the updated name of the KSA in the host cluster.

Prerequisites

This guide assumes you have the following prerequisites:

kubectl installed
gcloud CLI installed and configured
A running GKE cluster with Workload Identity Federation enabled (GCP docs)

Step-by-Step Guide

1. Start vCluster Platform and create access key

In order to integrate your workloads with GKE Workload Identity, you'll need a vCluster Platform instance running. If you don't have one already, follow the vCluster Platform installation guide.

Once you're done, you'll need to create a new access key. This will allow you to use the vCluster Platform API. Please follow this guide to create a new access key.

2. Set Up Environment Variables

Next, you need to set up the necessary environment variables. These variables include information about your GCP project, vCluster details, and authentication keys.

# Set up environment variables
export GSA_NAME=my-gke-sa
export VCLUSTER_KSA_NAME=demo-sa
export VCLUSTER_KSA_NAMESPACE=default
export GCP_PROJECT_ID=my-gcp-project-id-12345 # Replace with your actual GCP project ID
export VCLUSTER_NAME=my-vcluster
export HOST=https://my.loft.host  # Replace with your actual host
export ACCESS_KEY=abcd1234 # Replace with your actual vCluster Platform access key

Before proceeding adjust all values to your specific case, make sure to specify correct GCP project ID, vCluster Platform host and auth key.

3. Read Updated Name From vCluster Platform API

bash
Terraform

Define a function to fetch the KSA name using curl and use it to export KSA_NAME environment variable.

# Define the function to get the KSA name using curl
get_ksa_name() {
  local vcluster_ksa_name=$1
  local vcluster_ksa_namespace=$2
  local vcluster_name=$3
  local host=$4
  local access_key=$5

  local resource_path="/kubernetes/management/apis/management.loft.sh/v1/translatevclusterresourcenames"
  local host_with_scheme=$([[ $host =~ ^(http|https):// ]] && echo "$host" || echo "https://$host")
  local sanitized_host="${host_with_scheme%/}"
  local full_url="${sanitized_host}${resource_path}"

  local response=$(curl -s -k -X POST "$full_url" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${access_key}" \
    -d @- <<EOF
{
  "spec": {
    "name": "${vcluster_ksa_name}",
    "namespace": "${vcluster_ksa_namespace}",
    "vclusterName": "${vcluster_name}"
  }
}
EOF
  )

  local status_name=$(echo "$response" | jq -r '.status.name')
  if [[ -z "$status_name" || "$status_name" == "null" ]]; then
    echo "Error: Unable to fetch KSA name from response: $response"
    exit 1
  fi
  echo "$status_name"
}

# Get the KSA name
export KSA_NAME=$(get_ksa_name "$SERVICE_ACCOUNT_NAME" "$SERVICE_ACCOUNT_NAMESPACE" "$VCLUSTER_NAME" "$HOST" "$ACCESS_KEY")

We prepared a Terraform module that you can use in order to easily fetch updated resource name from Platform API.

module "synced_service_account_name" {
  source        = "github.com/loft-sh/vcluster-terraform-modules//single-namespace-rename"

  providers = {
    http.default = http.default
  }


  host                = var.vcluster_platform_host
  access_key          = var.access_key
  resource_name       = var.service_account_name
  resource_namespace  = var.service_account_namespace
  vcluster_name       = var.vcluster_name
}

4. Create vCluster Configuration

Create vcluster.yaml file with following content:

sync:
  toHost:
    serviceAccounts:
      enabled: true

5. Deploy vCluster

All of the deployment options below have the following assumptions:

A vcluster.yaml is provided. Refer to the vcluster.yaml reference docs to explore all configuration options. This file is optional and can be removed from the examples.
The vCluster is called my-vcluster.
The vCluster is be deployed into the team-x namespace.

vCluster CLI
Helm
Terraform
Argo CD
Cluster API

The vCluster CLI provides the most straightforward way to deploy and manage virtual clusters.

Install the vCluster CLI:
- Homebrew
- Mac (Intel/AMD)
- Mac (Silicon/ARM)
- Linux (AMD)
- Linux (ARM)
- Download Binary
- Windows Powershell
brew install loft-sh/tap/vcluster-experimental
If you installed the CLI using brew install vcluster, you should brew uninstall vcluster and then install the experimental version. The binaries in the tap are signed using the Sigstore framework for enhanced security.
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/download/<VCLUSTER_VERSION>/vcluster-darwin-amd64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
Replace <VCLUSTER_VERSION> with the version you want to download.
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/download/<VCLUSTER_VERSION>/vcluster-darwin-arm64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
Replace <VCLUSTER_VERSION> with the version you want to download.
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/download/<VCLUSTER_VERSION>/vcluster-linux-amd64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
Replace <VCLUSTER_VERSION> with the version you want to download.
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/download/<VCLUSTER_VERSION>/vcluster-linux-arm64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
Replace <VCLUSTER_VERSION> with the version you want to download.
Download the binary for your platform from the GitHub Releases page and add this binary to your $PATH.
md -Force "$Env:APPDATA\vcluster"; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12'; Invoke-WebRequest -URI "https://github.com/loft-sh/vcluster/releases/download/<VCLUSTER_VERSION>/vcluster-windows-amd64.exe" -o $Env:APPDATA\vcluster\vcluster.exe; $env:Path += ";" + $Env:APPDATA + "\vcluster"; [Environment]::SetEnvironmentVariable("Path", $env:Path, [System.EnvironmentVariableTarget]::User);
Replace <VCLUSTER_VERSION> with the version you want to download.
Reboot Required
You may need to reboot your computer to use the CLI due to changes to the PATH variable (see below).
Check Environment Variable $PATH
Line 4 of this install script adds the install directory %APPDATA%\vcluster to the $PATHenvironment variable. This is only effective for the current Powershell session, i.e. when opening a new terminal window,vcluster may not be found.
Make sure to add the folder %APPDATA%\vcluster to the PATH environment variable after installing vcluster CLI via Powershell. Afterward, a reboot might be necessary.
Confirm that you've installed the correct version of the vCluster CLI.
```
vcluster --version
```
Deploy vCluster:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
NAMESPACE
CONFIG FILE
vcluster create my-vcluster --namespace team-x --values vcluster.yaml
note
After installation, vCluster automatically switches your Kubernetes context to the new virtual cluster. You can now run kubectl commands against the virtual cluster.

Helm provides fine-grained control over the deployment process and integrates well with existing Helm-based workflows.

Deploy vCluster using the helm upgrade command:

Modify the following with your specific values to generate a copyable command:

CLUSTER NAME

CONFIG FILE

NAMESPACE

helm upgrade --install my-vcluster vcluster \
  --values vcluster.yaml \
  --repo https://charts.loft.sh \
  --namespace team-x \
  --repository-config='' \
  --create-namespace

You can use Terraform to deploy vCluster as code with version control and state management.

Create a main.tf file to define your vCluster deployment using the Terraform Helm provider:

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "my_vcluster" {
  name             = "my-vcluster"
  namespace        = "team-x"
  create_namespace = true

  repository       = "https://charts.loft.sh"
  chart            = "vcluster"

  # If you didn't create a vcluster.yaml, remove the values section.
  values = [
    file("${path.module}/vcluster.yaml")
  ]
}

Install the required Helm provider and initialize Terraform:
```
terraform init
```
Generate a plan to preview the changes:
```
terraform plan
```
Review the plan output to verify connectivity and proposed changes.
Deploy vCluster:
```
terraform apply
```

ArgoCD deployment enables GitOps workflows for vCluster management, and provides automated deployment, drift detection, and declarative configuration management through Git repositories.

To deploy vCluster using ArgoCD, you need the following files:

vcluster.yaml for your vCluster configuration options.
<CLUSTER_NAME>-app.yaml for your ArgoCD Application definition. Replace <CLUSTER_NAME> with your actual cluster name.

Create the ArgoCD Application file <CLUSTER_NAME>-app.yaml, which references the vCluster Helm chart:

Modify the following with your specific values to generate a copyable command:

CLUSTER NAME

NAMESPACE

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-vcluster
namespace: argocd
spec:
project: default
source:
  chart: vcluster
  repoURL: https://charts.loft.sh
  helm:
    releaseName: my-vcluster
    valueFiles:
      - vcluster.yaml
destination:
  server: https://kubernetes.default.svc
  namespace: team-x

Commit and push these files to your configured ArgoCD repository.
Sync your ArgoCD repository with your configured cluster:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
argocd app sync my-vcluster

Cluster API (CAPI) provides lifecycle management for Kubernetes clusters. The vCluster CAPI provider enables you to manage virtual clusters using the same declarative APIs and tooling used for physical clusters. For more details, see the Cluster API Provider for vCluster documentation.

Install the clusterctl CLI.

Install the vCluster provider:

clusterctl init --infrastructure vcluster:v0.2.0

Export environment variables for the Cluster API provider to create the manifest. The manifest is applied to your Kubernetes cluster, which deploys a vCluster.
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
NAMESPACE
CONFIG FILE
export CLUSTER_NAME=my-vcluster export CLUSTER_NAMESPACE=team-x export VCLUSTER_YAML=$(awk '{printf "%s\n", $0}' vcluster.yaml)
Create the namespace for the vCluster using the exported variable:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAMESPACE
kubectl create namespace team-x
Generate the required manifests and apply them using the exported variables:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAME
CLUSTER NAMESPACE
clusterctl generate cluster my-vcluster \ --infrastructure vcluster \ --target-namespace team-x \ | kubectl apply -f -
Kubernetes version
The Kubernetes version for the vCluster is not set at the CAPI provider command. Configure it in the vcluster.yaml file based on your Kubernetes distribution.
Wait for vCluster to become ready by monitoring the vCluster custom resource status:
Modify the following with your specific values to generate a copyable command:
CLUSTER NAMESPACE
CLUSTER NAME
kubectl wait --for=condition=ready vcluster -n team-x my-vcluster --timeout=300s

6. Connect to vCluster

Establish a connection to your vCluster instance:

vcluster connect ${VCLUSTER_NAME}

7. Create Example Workload

Create a file named gcs-list-buckets-deployment.yaml with the following content:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gcs-list-buckets
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gcs-list-buckets
  template:
    metadata:
      labels:
        app: gcs-list-buckets
    spec:
      serviceAccountName: demo-sa
      containers:
      - image: google/cloud-sdk:slim
        command:
          - "gcloud"
          - "storage"
          - "buckets"
          - "list"
        name: gcs-pod

Apply the deployment:

kubectl apply -f gcs-list-buckets-deployment.yaml

9. Create a GCP Service Account

Create a new GCP Service Account (SA) that will be used for workload identity.

# Create a new GCP Service Account
gcloud iam service-accounts create ${GSA_NAME} \
  --display-name "Workload Identity experiment SA"

10. Bind IAM Policies to the GCP Service Account

Bind the necessary IAM policies to the GCP Service Account, allowing it to be used by the Kubernetes Service Account and to list GCS buckets.

# Bind IAM policy for Workload Identity User
gcloud iam service-accounts add-iam-policy-binding ${GSA_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com \
  --member "serviceAccount:${GCP_PROJECT_ID}.svc.id.goog[${VCLUSTER_NAME}/${KSA_NAME}]" \
  --role "roles/iam.workloadIdentityUser"

# Bind IAM policy for Storage Object Viewer
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:${GSA_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/storage.objectViewer"

# Add IAM policy binding to the GCP project
gcloud projects add-iam-policy-binding ${GCP_PROJECT_ID} \
  --member "serviceAccount:${GSA_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
  --role "roles/editor"

11. Annotate the Kubernetes Service Account

Annotate the Kubernetes Service Account with the GCP Service Account email.

# Annotate the Kubernetes Service Account
kubectl annotate serviceaccount \
  --namespace ${VCLUSTER_KSA_NAMESPACE} \
  ${VCLUSTER_KSA_NAME} \
  iam.gke.io/gcp-service-account=${GSA_NAME}@${GCP_PROJECT_ID}.iam.gserviceaccount.com

12. Verify the Setup

Verify that the setup is complete and the pod is able to list the GCS buckets using the IAM role.

kubectl logs -l app=gcs-list-buckets -n default

Following these steps will integrate your GCP Service Account with your vCluster, allowing you to manage resources securely and efficiently.

Prerequisites​

Step-by-Step Guide​

1. Start vCluster Platform and create access key​

2. Set Up Environment Variables​

3. Read Updated Name From vCluster Platform API​

4. Create vCluster Configuration​

5. Deploy vCluster​

6. Connect to vCluster​

7. Create Example Workload​

9. Create a GCP Service Account​

10. Bind IAM Policies to the GCP Service Account​

11. Annotate the Kubernetes Service Account​

12. Verify the Setup​