vcluster.yaml configuration
| Enterprise | ||||
|---|---|---|---|---|
| Available in these plans | Free | Dev | Prod | Scale |
| Auto Sleep | ||||
| Generic Sync | ||||
| Isolated Control Plane | Add-On | Add-On | Add-On | |
| Private Nodes | ||||
| Private Nodes Auto Nodes | ||||
| Private Nodes VPN | ||||
The vcluster.yaml configuration file defines how your virtual cluster operates and integrates with the host cluster. Use the vcluster.yaml file to configure vCluster. It allows you to override default settings by specifying resource sync rules, networking behavior, storage options, and authentication methods.
If you're familiar with Helm, you can use vcluster.yaml in the same way as a values.yaml file. All vCluster deployment methods are based on Helm, which ensures consistent behavior across environments.
The configuration file controls resource synchronization between the host cluster and the virtual cluster, network access methods, storage persistence, authentication settings, and external service integrations. You can apply most configurations during deployment or upgrades, though some settings like the data store must be configured during initial deployment.
To explore configuration options, review the vCluster chart values file for default settings and available parameters. The vCluster Helm chart also includes a JSON schema for validating vcluster.yaml. For more information on configuration structure, see What is vcluster.yaml?.
Deploy a virtual cluster
Before you deploy, you should review the different tenancy models to determine how the infrastructure of the virtual cluster will be configured.
Once you've determined your tenancy model, read the different ways to deploy:
Config reference
controlPlane required object
Configure vCluster's control plane components and deployment.
controlPlane required object endpoint required string
Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.
endpoint required string distro required object
Distro holds virtual cluster related distro options. A distro cannot be changed after vCluster is deployed, with one exception: starting with vCluster 0.25.0, migration from K3s to K8s is supported. For more details, see the K3s to K8s migration guide.
distro required object k8s required object
K8S holds K8s relevant configuration.
k8s required object enabled required boolean false
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
enabled required boolean false version required string
Version is the Kubernetes version to use.
version required string apiServer required object
APIServer holds configuration specific to starting the api server.
apiServer required object controllerManager required object
ControllerManager holds configuration specific to starting the controller manager.
controllerManager required object scheduler required object
Scheduler holds configuration specific to starting the scheduler.
scheduler required object image required object
Image is the distro image
image required object registry required string ghcr.io
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry required string ghcr.io repository required string loft-sh/kubernetes
Repository is the repository of the container image, e.g. my-repo/my-image
repository required string loft-sh/kubernetes tag required string v1.35.0
Tag is the tag of the container image, and is the default version.
tag required string v1.35.0 imagePullPolicy required string
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy required string env required object[] []
Env are extra environment variables to use for the main container and NOT the init container.
env required object[] [] resources required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]]
Resources for the distro init container
resources required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]] securityContext required object {}
Security options can be used for the distro init container
securityContext required object {} k3s required object
[Deprecated] K3S holds K3s relevant configuration.
k3s required object enabled required boolean false
Enabled specifies if the K3s distro should be enabled. Only one distro can be enabled at the same time.
enabled required boolean false token required string
Token is the K3s token to use. If empty, vCluster will choose one.
token required string image required object
Image is the distro image
image required object registry required string
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry required string repository required string rancher/k3s
Repository is the repository of the container image, e.g. my-repo/my-image
repository required string rancher/k3s tag required string v1.35.0-k3s1
Tag is the tag of the container image, and is the default version.
tag required string v1.35.0-k3s1 imagePullPolicy required string
ImagePullPolicy is the pull policy for the distro image
imagePullPolicy required string env required object[]
Env are extra environment variables to use for the main container and NOT the init container.
env required object[] resources required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]]
Resources for the distro init container
resources required object map[limits:map[cpu:100m memory:256Mi] requests:map[cpu:40m memory:64Mi]] securityContext required object {}
Security options can be used for the distro init container
securityContext required object {} command required string[] []
Command is the command to start the distro binary. This will override the existing command.
command required string[] [] extraArgs required string[] []
ExtraArgs are additional arguments to pass to the distro binary.
extraArgs required string[] [] standalone required object
Standalone holds configuration for standalone mode. Standalone mode is set automatically when no container is detected and
also implies privateNodes.enabled.
standalone required object enabled required boolean
Enabled defines if standalone mode should be enabled.
enabled required boolean dataDir required string /var/lib/vcluster
DataDir defines the data directory for the standalone mode.
dataDir required string /var/lib/vcluster autoNodes required object
AutoNodes automatically deploys nodes for standalone mode.
autoNodes required object provider required string
Provider is the node provider of the nodes in this pool.
provider required string quantity required integer
Quantity is the number of nodes to deploy for standalone mode.
quantity required integer nodeTypeSelector required object[]
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector required object[] property required string
Property is the property on the node type to select.
property required string operator required string
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator required string values required string[]
Values is the list of values to use for comparison. This is mutually exclusive with value.
values required string[] value required string
Value is the value to use for comparison. This is mutually exclusive with values.
value required string joinNode required object
JoinNode holds configuration for the standalone control plane node.
joinNode required object enabled required boolean true
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
enabled required boolean true preInstallCommands required string[]
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
preInstallCommands required string[] preJoinCommands required string[]
PreJoinCommands are commands that will be executed before kubeadm join is executed.
preJoinCommands required string[] postJoinCommands required string[]
PostJoinCommands are commands that will be executed after kubeadm join is executed.
postJoinCommands required string[] containerd required object
Containerd holds configuration for the containerd join process.
containerd required object enabled required boolean true
Enabled defines if containerd should be installed and configured by vCluster.
enabled required boolean true registry required object
Registry holds configuration for how containerd should be configured to use a registries.
registry required object configPath required string
ConfigPath is the path to the containerd registry config.
configPath required string mirrors required {key: object}
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
mirrors required {key: object} server required string
Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
server required string caCert required string[]
CACert are paths to CA certificates to use for the containerd registry mirror.
caCert required string[] skipVerify required boolean
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify required boolean capabilities required string[]
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities required string[] overridePath required boolean
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath required boolean hosts required object[]
Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
hosts required object[] server required string
Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.
server required string caCert required string[]
CACert are paths to CA certificates to use for the containerd registry mirror host.
caCert required string[] skipVerify required boolean
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify required boolean capabilities required string[]
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities required string[] overridePath required boolean
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath required boolean auth required {key: object}
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
auth required {key: object} username required string
Username is the username for the containerd registry.
username required string password required string
Password is the password for the containerd registry.
password required string identityToken required string
IdentityToken is the token for the containerd registry.
identityToken required string auth required string
Auth is the auth config for the containerd registry.
auth required string pauseImage required string
PauseImage is the image for the pause container.
pauseImage required string caCertPath required string
CACertPath is the path to the SSL certificate authority used to
secure communications between node and control-plane.
Defaults to "/etc/kubernetes/pki/ca.crt".
caCertPath required string skipPhases required string[]
SkipPhases is a list of phases to skip during command execution.
The list of phases can be obtained with the "kubeadm join --help" command.
skipPhases required string[] nodeRegistration required object
NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.
nodeRegistration required object criSocket required string
CRI socket is the socket for the CRI.
criSocket required string kubeletExtraArgs required object[]
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap
Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
kubeletExtraArgs required object[] taints required object[]
Taints are additional taints to set for the kubelet.
taints required object[] ignorePreflightErrors required string[]
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
Value 'all' ignores errors from all checks.
ignorePreflightErrors required string[] imagePullPolicy required string
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations.
The value of this field must be one of "Always", "IfNotPresent" or "Never".
If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
imagePullPolicy required string backingStore required object
BackingStore defines which backing store to use for virtual cluster. If not defined will use embedded database as a default backing store.
backingStore required object etcd required object
Etcd defines that etcd should be used as the backend for the virtual cluster
etcd required object embedded required object
Embedded defines to use embedded etcd as a storage backend for the virtual cluster
embedded required object enabled required boolean false
Enabled defines if the embedded etcd should be used.
enabled required boolean false migrateFromDeployedEtcd required boolean false
MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.
migrateFromDeployedEtcd required boolean false snapshotCount required integer
SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.
snapshotCount required integer extraArgs required string[] []
ExtraArgs are additional arguments to pass to the embedded etcd.
extraArgs required string[] [] deploy required object
Deploy defines to use an external etcd that is deployed by the helm chart
deploy required object enabled required boolean false
Enabled defines that an external etcd should be deployed.
enabled required boolean false statefulSet required object
StatefulSet holds options for the external etcd statefulSet.
statefulSet required object enabled required boolean true
Enabled defines if the statefulSet should be deployed
enabled required boolean true enableServiceLinks required boolean true
EnableServiceLinks for the StatefulSet pod
enableServiceLinks required boolean true image required object
Image is the image to use for the external etcd statefulSet
image required object registry required string registry.k8s.io
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry required string registry.k8s.io repository required string etcd
Repository is the repository of the container image, e.g. my-repo/my-image
repository required string etcd tag required string 3.6.4-0
Tag is the tag of the container image, and is the default version.
tag required string 3.6.4-0 imagePullPolicy required string
ImagePullPolicy is the pull policy for the external etcd image
imagePullPolicy required string env required object[] []
Env are extra environment variables
env required object[] [] extraArgs required string[] []
ExtraArgs are appended to the etcd command.
extraArgs required string[] [] resources required object
Resources the etcd can consume
resources required object pods required object
Pods defines extra metadata for the etcd pods.
pods required object highAvailability required object
HighAvailability are high availability options
highAvailability required object replicas required integer 1
Replicas are the amount of pods to use.
replicas required integer 1 scheduling required object
Scheduling options for the etcd pods.
scheduling required object nodeSelector required object {}
NodeSelector is the node selector to apply to the pod.
nodeSelector required object {} affinity required object {}
Affinity is the affinity to apply to the pod.
affinity required object {} tolerations required object[] []
Tolerations are the tolerations to apply to the pod.
tolerations required object[] [] priorityClassName required string
PriorityClassName is the priority class name for the the pod.
priorityClassName required string podManagementPolicy required string Parallel
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy required string Parallel topologySpreadConstraints required object[] []
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints required object[] [] security required object
Security options for the etcd pods.
security required object persistence required object
Persistence options for the etcd pods.
persistence required object volumeClaim required object
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim required object enabled required boolean true
Enabled enables deploying a persistent volume claim.
enabled required boolean true accessModes required string[] [ReadWriteOnce]
AccessModes are the persistent volume claim access modes.
accessModes required string[] [ReadWriteOnce] retentionPolicy required string Retain
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy required string Retain size required string 5Gi
Size is the persistent volume claim storage size.
size required string 5Gi storageClass required string
StorageClass is the persistent volume claim storage class.
storageClass required string volumeClaimTemplates required object[] []
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates required object[] [] addVolumes required object[] []
AddVolumes defines extra volumes for the pod
addVolumes required object[] [] addVolumeMounts required object[]
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts required object[] name required string
This must match the Name of a Volume.
name required string readOnly required boolean
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly required boolean mountPath required string
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath required string subPath required string
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath required string mountPropagation required string
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation required string subPathExpr required string
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr required string annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} service required object
Service holds options for the external etcd service.
service required object external required object
External defines to use a self-hosted external etcd that is not deployed by the helm chart
external required object database required object
Database defines that a database backend should be used as the backend for the virtual cluster. This uses a project called kine under the hood which is a shim for bridging Kubernetes and relational databases.
database required object embedded required object
Embedded defines that an embedded database (sqlite) should be used as the backend for the virtual cluster
embedded required object enabled required boolean false
Enabled defines if the database should be used.
enabled required boolean false dataSource required string
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/k3s
- postgres: postgres://username:password@hostname:5432/k3s
dataSource required string identityProvider required string
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security.
This is optional for the external database. Examples:
- aws: RDS IAM Authentication
identityProvider required string keyFile required string
KeyFile is the key file to use for the database. This is optional.
keyFile required string certFile required string
CertFile is the cert file to use for the database. This is optional.
certFile required string caFile required string
CaFile is the ca file to use for the database. This is optional.
caFile required string extraArgs required string[] []
ExtraArgs are additional arguments to pass to Kine.
extraArgs required string[] [] external required object
External defines that an external database should be used as the backend for the virtual cluster
external required object enabled required boolean false
Enabled defines if the database should be used.
enabled required boolean false dataSource required string
DataSource is the kine dataSource to use for the database. This depends on the database format.
This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/k3s
- postgres: postgres://username:password@hostname:5432/k3s
dataSource required string identityProvider required string
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security.
This is optional for the external database. Examples:
- aws: RDS IAM Authentication
identityProvider required string keyFile required string
KeyFile is the key file to use for the database. This is optional.
keyFile required string certFile required string
CertFile is the cert file to use for the database. This is optional.
certFile required string caFile required string
CaFile is the ca file to use for the database. This is optional.
caFile required string extraArgs required string[] []
ExtraArgs are additional arguments to pass to Kine.
extraArgs required string[] [] connector required string
Connector specifies a secret located in a connected vCluster Platform that contains database server connection information
to be used by Platform to create a database and database user for the vCluster.
and non-privileged user. A kine endpoint should be created using the database and user on Platform registration.
This is optional.
connector required string coredns required object
CoreDNS defines everything related to the coredns that is deployed and used within the vCluster.
coredns required object enabled required boolean true
Enabled defines if coredns is enabled
enabled required boolean true embedded required boolean false
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
embedded required boolean false security required object
Security defines pod or container security context.
security required object service required object
Service holds extra options for the coredns service deployed within the virtual cluster
service required object deployment required object
Deployment holds extra options for the coredns deployment deployed within the virtual cluster
deployment required object image required string
Image is the coredns image to use
image required string replicas required integer 1
Replicas is the amount of coredns pods to run.
replicas required integer 1 nodeSelector required object {}
NodeSelector is the node selector to use for coredns.
nodeSelector required object {} affinity required object {}
Affinity is the affinity to apply to the pod.
affinity required object {} tolerations required object[] []
Tolerations are the tolerations to apply to the pod.
tolerations required object[] [] resources required object
Resources are the desired resources for coredns.
resources required object pods required object
Pods is additional metadata for the coredns pods.
pods required object annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} topologySpreadConstraints required object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]]
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
topologySpreadConstraints required object[] [map[labelSelector:map[matchLabels:map[k8s-app:vcluster-kube-dns]] maxSkew:1 topologyKey:kubernetes.io/hostname whenUnsatisfiable:DoNotSchedule]] overwriteConfig required string
OverwriteConfig can be used to overwrite the coredns config
overwriteConfig required string overwriteManifests required string
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
overwriteManifests required string priorityClassName required string
PriorityClassName specifies the priority class name for the CoreDNS pods.
priorityClassName required string proxy required object
Proxy defines options for the virtual cluster control plane proxy that is used to do authentication and intercept requests.
proxy required object bindAddress required string 0.0.0.0
BindAddress under which vCluster will expose the proxy.
bindAddress required string 0.0.0.0 port required integer 8443
Port under which vCluster will expose the proxy. Changing port is currently not supported.
port required integer 8443 extraSANs required string[] []
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
extraSANs required string[] [] hostPathMapper required object
HostPathMapper defines if vCluster should rewrite host paths.
hostPathMapper required object ingress required object
Ingress defines options for vCluster ingress deployed by Helm.
ingress required object enabled required boolean false
Enabled defines if the control plane ingress should be enabled
enabled required boolean false host required string my-host.com
Host is the host where vCluster will be reachable
host required string my-host.com pathType required string ImplementationSpecific
PathType is the path type of the ingress
pathType required string ImplementationSpecific spec required object map[tls:[]]
Spec allows you to configure extra ingress options.
spec required object map[tls:[]] annotations required object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true]
Annotations are extra annotations for this resource.
annotations required object map[nginx.ingress.kubernetes.io/backend-protocol:HTTPS nginx.ingress.kubernetes.io/ssl-passthrough:true nginx.ingress.kubernetes.io/ssl-redirect:true] labels required object {}
Labels are extra labels for this resource.
labels required object {} service required object
Service defines options for vCluster service deployed by Helm.
service required object enabled required boolean true
Enabled defines if the control plane service should be enabled
enabled required boolean true spec required object map[type:ClusterIP]
Spec allows you to configure extra service options.
spec required object map[type:ClusterIP] kubeletNodePort required integer 0
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
kubeletNodePort required integer 0 httpsNodePort required integer 0
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
httpsNodePort required integer 0 annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} statefulSet required object
StatefulSet defines options for vCluster statefulSet deployed by Helm.
statefulSet required object highAvailability required object
HighAvailability holds options related to high availability.
highAvailability required object replicas required integer 1
Replicas is the amount of replicas to use for the statefulSet.
replicas required integer 1 leaseDuration required integer 60
LeaseDuration is the time to lease for the leader.
leaseDuration required integer 60 renewDeadline required integer 40
RenewDeadline is the deadline to renew a lease for the leader.
renewDeadline required integer 40 retryPeriod required integer 15
RetryPeriod is the time until a replica will retry to get a lease.
retryPeriod required integer 15 resources required object
Resources are the resource requests and limits for the statefulSet container.
resources required object scheduling required object
Scheduling holds options related to scheduling.
scheduling required object nodeSelector required object {}
NodeSelector is the node selector to apply to the pod.
nodeSelector required object {} affinity required object {}
Affinity is the affinity to apply to the pod.
affinity required object {} tolerations required object[] []
Tolerations are the tolerations to apply to the pod.
tolerations required object[] [] priorityClassName required string
PriorityClassName is the priority class name for the the pod.
priorityClassName required string podManagementPolicy required string Parallel
PodManagementPolicy is the statefulSet pod management policy.
podManagementPolicy required string Parallel topologySpreadConstraints required object[] []
TopologySpreadConstraints are the topology spread constraints for the pod.
topologySpreadConstraints required object[] [] security required object
Security defines pod or container security context.
security required object probes required object
Probes enables or disables the main container probes.
probes required object livenessProbe required object
LivenessProbe specifies if the liveness probe for the container should be enabled
livenessProbe required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true failureThreshold required integer 60
Number of consecutive failures for the probe to be considered failed
failureThreshold required integer 60 initialDelaySeconds required integer 60
Time (in seconds) to wait before starting the liveness probe
initialDelaySeconds required integer 60 timeoutSeconds required integer 3
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds required integer 3 periodSeconds required integer 2
Frequency (in seconds) to perform the probe
periodSeconds required integer 2 readinessProbe required object
ReadinessProbe specifies if the readiness probe for the container should be enabled
readinessProbe required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true failureThreshold required integer 60
Number of consecutive failures for the probe to be considered failed
failureThreshold required integer 60 timeoutSeconds required integer 3
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds required integer 3 periodSeconds required integer 2
Frequency (in seconds) to perform the probe
periodSeconds required integer 2 startupProbe required object
StartupProbe specifies if the startup probe for the container should be enabled
startupProbe required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true failureThreshold required integer 300
Number of consecutive failures allowed before failing the pod
failureThreshold required integer 300 timeoutSeconds required integer 3
Maximum duration (in seconds) that the probe will wait for a response.
timeoutSeconds required integer 3 periodSeconds required integer 6
Frequency (in seconds) to perform the probe
periodSeconds required integer 6 persistence required object
Persistence defines options around persistence for the statefulSet.
persistence required object volumeClaim required object
VolumeClaim can be used to configure the persistent volume claim.
volumeClaim required object enabled required string|boolean auto
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine
based on the chosen distro and other options if this is required.
enabled required string|boolean auto accessModes required string[] [ReadWriteOnce]
AccessModes are the persistent volume claim access modes.
accessModes required string[] [ReadWriteOnce] retentionPolicy required string Retain
RetentionPolicy is the persistent volume claim retention policy.
retentionPolicy required string Retain size required string 5Gi
Size is the persistent volume claim storage size.
size required string 5Gi storageClass required string
StorageClass is the persistent volume claim storage class.
storageClass required string volumeClaimTemplates required object[] []
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
volumeClaimTemplates required object[] [] dataVolume required object[] []
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
dataVolume required object[] [] binariesVolume required object[] [map[emptyDir:map[] name:binaries]]
BinariesVolume defines a binaries volume that is used to retrieve
distro specific executables to be run by the syncer controller.
This volume doesn't need to be persistent.
binariesVolume required object[] [map[emptyDir:map[] name:binaries]] addVolumes required object[] []
AddVolumes defines extra volumes for the pod
addVolumes required object[] [] addVolumeMounts required object[]
AddVolumeMounts defines extra volume mounts for the container
addVolumeMounts required object[] name required string
This must match the Name of a Volume.
name required string readOnly required boolean
Mounted read-only if true, read-write otherwise (false or unspecified).
Defaults to false.
readOnly required boolean mountPath required string
Path within the container at which the volume should be mounted. Must
not contain ':'.
mountPath required string subPath required string
Path within the volume from which the container's volume should be mounted.
Defaults to "" (volume's root).
subPath required string mountPropagation required string
mountPropagation determines how mounts are propagated from the host
to container and the other way around.
When not set, MountPropagationNone is used.
This field is beta in 1.10.
mountPropagation required string subPathExpr required string
Expanded path within the volume from which the container's volume should be mounted.
Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment.
Defaults to "" (volume's root).
SubPathExpr and SubPath are mutually exclusive.
subPathExpr required string enableServiceLinks required boolean true
EnableServiceLinks for the StatefulSet pod
enableServiceLinks required boolean true annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} pods required object
Additional labels or annotations for the statefulSet pods.
pods required object image required object
Image is the image for the controlPlane statefulSet container
It defaults to the vCluster pro repository that includes the optional pro modules that are turned off by default.
If you still want to use the pure OSS build, set the repository to 'loft-sh/vcluster-oss'.
image required object registry required string ghcr.io
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry required string ghcr.io repository required string loft-sh/vcluster-pro
Repository is the repository of the container image, e.g. my-repo/my-image
repository required string loft-sh/vcluster-pro tag required string
Tag is the tag of the container image, and is the default version.
tag required string imagePullPolicy required string
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy required string workingDir required string
WorkingDir specifies in what folder the main process should get started.
workingDir required string command required string[] []
Command allows you to override the main command.
command required string[] [] args required string[] []
Args allows you to override the main arguments.
args required string[] [] env required object[] []
Env are additional environment variables for the statefulSet container.
env required object[] [] dnsPolicy required string
Set DNS policy for the pod.
dnsPolicy required string dnsConfig required object
Specifies the DNS parameters of a pod.
dnsConfig required object nameservers required string[]
A list of DNS name server IP addresses.
This will be appended to the base nameservers generated from DNSPolicy.
Duplicated nameservers will be removed.
nameservers required string[] searches required string[]
A list of DNS search domains for host-name lookup.
This will be appended to the base search paths generated from DNSPolicy.
Duplicated search paths will be removed.
searches required string[] options required object[]
A list of DNS resolver options.
This will be merged with the base options generated from DNSPolicy.
Duplicated entries will be removed. Resolution options given in Options
will override those that appear in the base DNSPolicy.
options required object[] initContainers required object[] []
InitContainers are additional init containers for the statefulSet.
initContainers required object[] [] sidecarContainers required object[] []
SidecarContainers are additional sidecar containers for the statefulSet.
sidecarContainers required object[] [] serviceMonitor required object
ServiceMonitor can be used to automatically create a service monitor for vCluster deployment itself.
serviceMonitor required object advanced required object
Advanced holds additional configuration for the vCluster control plane.
advanced required object defaultImageRegistry required string
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to
upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
defaultImageRegistry required string virtualScheduler required object
VirtualScheduler defines if a scheduler should be used within the virtual cluster or the scheduling decision for workloads will be made by the host cluster.
Deprecated: Use ControlPlane.Distro.K8S.Scheduler instead.
virtualScheduler required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false serviceAccount required object
ServiceAccount specifies options for the vCluster control plane service account.
serviceAccount required object enabled required boolean true
Enabled specifies if the service account should get deployed.
enabled required boolean true name required string
Name specifies what name to use for the service account.
name required string imagePullSecrets required object[]
ImagePullSecrets defines extra image pull secrets for the service account.
imagePullSecrets required object[] name required string
Name of the image pull secret to use.
name required string annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} workloadServiceAccount required object
WorkloadServiceAccount specifies options for the service account that will be used for the workloads that run within the virtual cluster.
workloadServiceAccount required object enabled required boolean true
Enabled specifies if the service account for the workloads should get deployed.
enabled required boolean true name required string
Name specifies what name to use for the service account for the virtual cluster workloads.
name required string imagePullSecrets required object[]
ImagePullSecrets defines extra image pull secrets for the workload service account.
imagePullSecrets required object[] name required string
Name of the image pull secret to use.
name required string annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} headlessService required object
HeadlessService specifies options for the headless service used for the vCluster StatefulSet.
headlessService required object konnectivity required object
Konnectivity holds dedicated konnectivity configuration. This is only available when privateNodes.enabled is true.
konnectivity required object server required object
Server holds configuration for the konnectivity server.
server required object agent required object
Agent holds configuration for the konnectivity agent.
agent required object enabled required boolean true
Enabled defines if the konnectivity agent should be enabled.
enabled required boolean true replicas required integer 1
Replicas is the number of replicas for the konnectivity agent.
replicas required integer 1 image required string
Image is the image for the konnectivity agent.
image required string imagePullPolicy required string
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy required string nodeSelector required object {}
NodeSelector is the node selector for the konnectivity agent.
nodeSelector required object {} priorityClassName required string
PriorityClassName is the priority class name for the konnectivity agent.
priorityClassName required string tolerations required object[] []
Tolerations is the tolerations for the konnectivity agent.
tolerations required object[] [] extraEnv required object[] []
ExtraEnv is the extra environment variables for the konnectivity agent.
extraEnv required object[] [] extraArgs required string[] []
ExtraArgs are additional arguments to pass to the konnectivity agent.
extraArgs required string[] [] registry required object
Registry allows enabling an embedded docker image registry in vCluster. This is useful for air-gapped environments or when you don't have a public registry available to distribute images.
registry required object enabled required boolean false
Enabled defines if the embedded registry should be enabled.
enabled required boolean false anonymousPull required boolean true
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
anonymousPull required boolean true config required object {}
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
config required object {} cloudControllerManager required object
CloudControllerManager holds configuration for the embedded cloud controller manager. This is only available when private nodes are enabled.
The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
cloudControllerManager required object enabled required boolean true
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use
an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well
as the provider id for the node and other node metadata.
enabled required boolean true globalMetadata required object
GlobalMetadata is metadata that will be added to all resources deployed by Helm.
globalMetadata required object annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} kubeVip required object
KubeVip holds configuration for embedded kube-vip that announces the virtual cluster endpoint IP on layer 2.
kubeVip required object enabled required boolean false
Enabled defines if embedded kube-vip should be enabled.
enabled required boolean false interface required string
Interface is the network interface on which the VIP is announced.
interface required string gateway required string
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24).
This is used to configure policy-based routing for the VIP and must include the subnet prefix.
gateway required string podDisruptionBudget required object
PodDisruptionBudget limits how many pods of an application can be voluntarily disrupted at once
to ensure availability during maintenance or scaling operations.
podDisruptionBudget required object enabled required boolean false
Enabled defines if the pod disruption budget should be enabled.
enabled required boolean false minAvailable required object
MinAvailable describes the minimal number or percentage of available pods.
minAvailable required object maxUnavailable required object
MaxUnavailable describes the minimal number or percentage of unavailable pods.
maxUnavailable required object unhealthyPodEvictionPolicy required string
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction.
Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted
and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted
and can be evicted regardless of whether the criteria in a PDB is met.
unhealthyPodEvictionPolicy required string logging required object
Logging provides structured logging options
logging required object encoding required string console
Encoding specifies the format of vCluster logs, it can either be json or console.
encoding required string console privateNodes required object
PrivateNodes holds configuration for vCluster private nodes mode.
privateNodes required object enabled required boolean false
Enabled defines if dedicated nodes should be enabled.
enabled required boolean false kubelet required object
Kubelet holds kubelet configuration that is used for all nodes.
kubelet required object config required object {}
Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here:
https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
config required object {} autoUpgrade required object
AutoUpgrade holds configuration for auto upgrade.
autoUpgrade required object enabled required boolean true
Enabled defines if auto upgrade should be enabled.
enabled required boolean true image required string
Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.
image required string imagePullPolicy required string
ImagePullPolicy is the policy how to pull the image.
imagePullPolicy required string nodeSelector required object
NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.
nodeSelector required object binariesPath required string
BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin
binariesPath required string cniBinariesPath required string
CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin
cniBinariesPath required string concurrency required integer 1
Concurrency is the number of nodes that can be upgraded at the same time.
concurrency required integer 1 joinNode required object
JoinNode holds configuration specifically used during joining the node (see "kubeadm join").
joinNode required object preInstallCommands required string[]
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
preInstallCommands required string[] preJoinCommands required string[]
PreJoinCommands are commands that will be executed before kubeadm join is executed.
preJoinCommands required string[] postJoinCommands required string[]
PostJoinCommands are commands that will be executed after kubeadm join is executed.
postJoinCommands required string[] containerd required object
Containerd holds configuration for the containerd join process.
containerd required object enabled required boolean true
Enabled defines if containerd should be installed and configured by vCluster.
enabled required boolean true registry required object
Registry holds configuration for how containerd should be configured to use a registries.
registry required object configPath required string
ConfigPath is the path to the containerd registry config.
configPath required string mirrors required {key: object}
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
mirrors required {key: object} server required string
Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
server required string caCert required string[]
CACert are paths to CA certificates to use for the containerd registry mirror.
caCert required string[] skipVerify required boolean
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify required boolean capabilities required string[]
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities required string[] overridePath required boolean
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath required boolean hosts required object[]
Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
hosts required object[] server required string
Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.
server required string caCert required string[]
CACert are paths to CA certificates to use for the containerd registry mirror host.
caCert required string[] skipVerify required boolean
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
skipVerify required boolean capabilities required string[]
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
capabilities required string[] overridePath required boolean
OverridePath is a boolean to override the path for the containerd registry mirror.
overridePath required boolean auth required {key: object}
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
auth required {key: object} username required string
Username is the username for the containerd registry.
username required string password required string
Password is the password for the containerd registry.
password required string identityToken required string
IdentityToken is the token for the containerd registry.
identityToken required string auth required string
Auth is the auth config for the containerd registry.
auth required string pauseImage required string
PauseImage is the image for the pause container.
pauseImage required string caCertPath required string
CACertPath is the path to the SSL certificate authority used to
secure communications between node and control-plane.
Defaults to "/etc/kubernetes/pki/ca.crt".
caCertPath required string skipPhases required string[]
SkipPhases is a list of phases to skip during command execution.
The list of phases can be obtained with the "kubeadm join --help" command.
skipPhases required string[] nodeRegistration required object
NodeRegistration holds configuration for the node registration similar to the kubeadm node registration.
nodeRegistration required object criSocket required string
CRI socket is the socket for the CRI.
criSocket required string kubeletExtraArgs required object[]
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file
kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap
Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on.
An argument name in this list is the flag name as it appears on the command line except without leading dash(es).
Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
kubeletExtraArgs required object[] taints required object[]
Taints are additional taints to set for the kubelet.
taints required object[] ignorePreflightErrors required string[]
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'.
Value 'all' ignores errors from all checks.
ignorePreflightErrors required string[] imagePullPolicy required string
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations.
The value of this field must be one of "Always", "IfNotPresent" or "Never".
If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
imagePullPolicy required string autoNodes required object[]
AutoNodes stores auto nodes configuration.
autoNodes required object[] provider required string
Provider is the node provider of the nodes in this pool.
provider required string properties required object
Properties are the node provider properties. This is a simple key value map and can contain things
like region, subscription, etc. that is then used by the node provider to create the nodes and node environment.
properties required object static required object[]
Static defines static node pools. Static node pools have a fixed size and are not scaled automatically.
static required object[] name required string
Name is the name of this static nodePool
name required string nodeTypeSelector required object[]
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector required object[] property required string
Property is the property on the node type to select.
property required string operator required string
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator required string values required string[]
Values is the list of values to use for comparison. This is mutually exclusive with value.
values required string[] value required string
Value is the value to use for comparison. This is mutually exclusive with values.
value required string taints required object[]
Taints are the taints to apply to the nodes in this pool.
taints required object[] nodeLabels required object
NodeLabels are the labels to apply to the nodes in this pool.
nodeLabels required object terminationGracePeriod required string
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.
When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.
If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,
that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.
Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
terminationGracePeriod required string quantity required integer
Quantity is the number of desired nodes in this pool.
quantity required integer dynamic required object[]
Dynamic defines dynamic node pools. Dynamic node pools are scaled automatically based on the requirements within the cluster.
Karpenter is used under the hood to handle the scheduling of the nodes.
dynamic required object[] name required string
Name is the name of this NodePool
name required string nodeTypeSelector required object[]
NodeTypeSelector filters the types of nodes that can be provisioned by this pool.
All requirements must be met for a node type to be eligible.
nodeTypeSelector required object[] property required string
Property is the property on the node type to select.
property required string operator required string
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
operator required string values required string[]
Values is the list of values to use for comparison. This is mutually exclusive with value.
values required string[] value required string
Value is the value to use for comparison. This is mutually exclusive with values.
value required string taints required object[]
Taints are the taints to apply to the nodes in this pool.
taints required object[] nodeLabels required object
NodeLabels are the labels to apply to the nodes in this pool.
nodeLabels required object limits required object
Limits specify the maximum resources that can be provisioned by this node pool,
mapping to the 'limits' field in Karpenter's NodePool API.
limits required object disruption required object
Disruption contains the parameters that relate to Karpenter's disruption logic
disruption required object consolidateAfter required string
ConsolidateAfter is the duration the controller will wait
before attempting to terminate nodes that are underutilized.
Refer to ConsolidationPolicy for how underutilization is considered.
consolidateAfter required string consolidationPolicy required string
ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation
algorithm. This policy defaults to "WhenEmptyOrUnderutilized" if not specified
consolidationPolicy required string budgets required object[]
Budgets is a list of Budgets.
If there are multiple active budgets, Karpenter uses
the most restrictive value. If left undefined,
this will default to one budget with a value to 10%.
budgets required object[] nodes required string
Nodes dictates the maximum number of NodeClaims owned by this NodePool
that can be terminating at once. This is calculated by counting nodes that
have a deletion timestamp set, or are actively being deleted by Karpenter.
This field is required when specifying a budget.
nodes required string schedule required string
Schedule specifies when a budget begins being active, following
the upstream cronjob syntax. If omitted, the budget is always active.
Timezones are not supported.
schedule required string duration required string
Duration determines how long a Budget is active since each Schedule hit.
Only minutes and hours are accepted, as cron does not work in seconds.
If omitted, the budget is always active.
This is required if Schedule is set.
duration required string terminationGracePeriod required string
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period.
When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod.
If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout,
that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks.
Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
terminationGracePeriod required string expireAfter required string
The amount of time a Node can live on the cluster before being removed
expireAfter required string weight required integer
Weight is the weight of this node pool.
weight required integer vpn required object
VPN holds configuration for the private nodes vpn. This can be used to connect the private nodes to the control plane or
connect the private nodes to each other if they are not running in the same network. Platform connection is required for the vpn to work.
vpn required object enabled required boolean false
Enabled defines if the private nodes vpn should be enabled.
enabled required boolean false exportKubeConfig required object
ExportKubeConfig describes how vCluster should export the vCluster kubeConfig file.
exportKubeConfig required object context required string
Context is the name of the context within the generated kubeconfig to use.
context required string server required string
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server required string insecure required boolean false
If tls should get skipped for the server
insecure required boolean false serviceAccount required object
ServiceAccount can be used to generate a service account token instead of the default certificates.
serviceAccount required object name required string
Name of the service account to be used to generate a service account token instead of the default certificates.
name required string namespace required string
Namespace of the service account to be used to generate a service account token instead of the default certificates.
If omitted, will use the kube-system namespace.
namespace required string clusterRole required string
ClusterRole to assign to the service account.
clusterRole required string secret required object
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
If this is not defined, vCluster will create it with vc-NAME. If you specify another name,
vCluster creates the config in this other secret.
Deprecated: Use AdditionalSecrets instead.
secret required object vc-NAME. If you specify another name,
vCluster creates the config in this other secret.name required string
Name is the name of the secret where the kubeconfig should get stored.
name required string namespace required string
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace
where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace required string additionalSecrets required object[]
AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the
generated virtual cluster kubeconfigs.
additionalSecrets required object[] context required string
Context is the name of the context within the generated kubeconfig to use.
context required string server required string
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
server required string insecure required boolean
If tls should get skipped for the server
insecure required boolean serviceAccount required object
ServiceAccount can be used to generate a service account token instead of the default certificates.
serviceAccount required object name required string
Name of the service account to be used to generate a service account token instead of the default certificates.
name required string namespace required string
Namespace of the service account to be used to generate a service account token instead of the default certificates.
If omitted, will use the kube-system namespace.
namespace required string clusterRole required string
ClusterRole to assign to the service account.
clusterRole required string name required string
Name is the name of the secret where the kubeconfig is stored.
name required string namespace required string
Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace
where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
namespace required string sync required object
Sync describes how to sync resources from the virtual cluster to host cluster and back.
sync required object toHost required object
Configure resources to sync from the virtual cluster to the host cluster.
toHost required object pods required object
Pods defines if pods created within the virtual cluster should get synced to the host cluster.
pods required object enabled required boolean true
Enabled defines if pod syncing should be enabled.
enabled required boolean true translateImage required object {}
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite
a certain image that is used within the virtual cluster to be another image on the host cluster
translateImage required object {} enforceTolerations required string[] []
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
enforceTolerations required string[] [] useSecretsForSATokens required boolean false
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a
pod annotation.
useSecretsForSATokens required boolean false runtimeClassName required string
RuntimeClassName is the runtime class to set for synced pods.
runtimeClassName required string priorityClassName required string
PriorityClassName is the priority class to set for synced pods.
priorityClassName required string rewriteHosts required object
RewriteHosts is a special option needed to rewrite statefulset containers to allow the correct FQDN. virtual cluster will add
a small container to each stateful set pod that will initially rewrite the /etc/hosts file to match the FQDN expected by
the virtual cluster.
rewriteHosts required object enabled required boolean true
Enabled specifies if rewriting stateful set pods should be enabled.
enabled required boolean true initContainer required object
InitContainer holds extra options for the init container used by vCluster to rewrite the FQDN for stateful set pods.
initContainer required object image required object
Image is the image virtual cluster should use to rewrite this FQDN.
image required object registry required string mirror.gcr.io
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally
overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
registry required string mirror.gcr.io repository required string library/alpine
Repository is the repository of the container image, e.g. my-repo/my-image
repository required string library/alpine tag required string 3.20
Tag is the tag of the container image, and is the default version.
tag required string 3.20 resources required object
Resources are the resources that should be assigned to the init container for each stateful set init container.
resources required object patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object hybridScheduling required object
HybridScheduling is used to enable and configure hybrid scheduling for pods in the virtual cluster.
hybridScheduling required object secrets required object
Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.
secrets required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true all required boolean false
All defines if all resources of that type should get synced or only the necessary ones that are needed.
all required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object configMaps required object
ConfigMaps defines if config maps created within the virtual cluster should get synced to the host cluster.
configMaps required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true all required boolean false
All defines if all resources of that type should get synced or only the necessary ones that are needed.
all required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object ingresses required object
Ingresses defines if ingresses created within the virtual cluster should get synced to the host cluster.
ingresses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object services required object
Services defines if services created within the virtual cluster should get synced to the host cluster.
services required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object endpoints required object
Endpoints defines if endpoints created within the virtual cluster should get synced to the host cluster.
endpoints required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object endpointSlices required object
EndpointSlices defines if endpointslices created within the virtual cluster should get synced to the host cluster.
endpointSlices required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object networkPolicies required object
NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.
networkPolicies required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object persistentVolumeClaims required object
PersistentVolumeClaims defines if persistent volume claims created within the virtual cluster should get synced to the host cluster.
persistentVolumeClaims required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object persistentVolumes required object
PersistentVolumes defines if persistent volumes created within the virtual cluster should get synced to the host cluster.
persistentVolumes required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object volumeSnapshots required object
VolumeSnapshots defines if volume snapshots created within the virtual cluster should get synced to the host cluster.
volumeSnapshots required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object volumeSnapshotContents required object
VolumeSnapshotContents defines if volume snapshot contents created within the virtual cluster should get synced to the host cluster.
volumeSnapshotContents required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object storageClasses required object
StorageClasses defines if storage classes created within the virtual cluster should get synced to the host cluster.
storageClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object serviceAccounts required object
ServiceAccounts defines if service accounts created within the virtual cluster should get synced to the host cluster.
serviceAccounts required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object podDisruptionBudgets required object
PodDisruptionBudgets defines if pod disruption budgets created within the virtual cluster should get synced to the host cluster.
podDisruptionBudgets required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object priorityClasses required object
PriorityClasses defines if priority classes created within the virtual cluster should get synced to the host cluster.
priorityClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object customResources required {key: object}
CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup.
vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.
customResources required {key: object} enabled required boolean
Enabled defines if this option should be enabled.
enabled required boolean scope required string
Scope defines the scope of the resource. If undefined, will use Namespaced. Currently only Namespaced is supported.
scope required string patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object namespaces required object
Namespaces defines if namespaces created within the virtual cluster should get synced to the host cluster.
namespaces required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object mappings required object
Mappings for Namespace and Object
mappings required object byName required object
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster:
byName:
"foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName required object mappingsOnly required boolean false
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
mappingsOnly required boolean false extraLabels required object
ExtraLabels are additional labels to add to the namespace in the host cluster.
extraLabels required object resourceClaims required object
ResourceClaim defines if resource claims created within the virtual cluster should get synced to the host cluster.
resourceClaims required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object resourceClaimTemplates required object
ResourceClaimTemplates defines if resourceClaimTemplates created within the virtual cluster should get synced to the host cluster.
resourceClaimTemplates required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object fromHost required object
Configure what resources vCluster should sync from the host cluster to the virtual cluster.
fromHost required object nodes required object
Nodes defines if nodes should get synced from the host cluster to the virtual cluster, but not back.
nodes required object enabled required boolean false
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
enabled required boolean false syncBackChanges required boolean false
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
syncBackChanges required boolean false clearImageStatus required boolean false
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
clearImageStatus required boolean false selector required object
Selector can be used to define more granular what nodes should get synced from the host cluster to the virtual cluster.
selector required object all required boolean false
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
all required boolean false labels required object {}
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
labels required object {} patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object events required object
Events defines if events should get synced from the host cluster to the virtual cluster, but not back.
events required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object ingressClasses required object
IngressClasses defines if ingress classes should get synced from the host cluster to the virtual cluster, but not back.
ingressClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object runtimeClasses required object
RuntimeClasses defines if runtime classes should get synced from the host cluster to the virtual cluster, but not back.
runtimeClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object priorityClasses required object
PriorityClasses defines if priority classes classes should get synced from the host cluster to the virtual cluster, but not back.
priorityClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object storageClasses required object
StorageClasses defines if storage classes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
storageClasses required object enabled required string|boolean auto
Enabled defines if this option should be enabled.
enabled required string|boolean auto patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object csiNodes required object
CSINodes defines if csi nodes should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiNodes required object enabled required string|boolean auto
Enabled defines if this option should be enabled.
enabled required string|boolean auto patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object csiDrivers required object
CSIDrivers defines if csi drivers should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiDrivers required object enabled required string|boolean auto
Enabled defines if this option should be enabled.
enabled required string|boolean auto patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object csiStorageCapacities required object
CSIStorageCapacities defines if csi storage capacities should get synced from the host cluster to the virtual cluster, but not back. If auto, is automatically enabled when the virtual scheduler is enabled.
csiStorageCapacities required object enabled required string|boolean auto
Enabled defines if this option should be enabled.
enabled required string|boolean auto patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object customResources required {key: object}
CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.
customResources required {key: object} enabled required boolean
Enabled defines if this option should be enabled.
enabled required boolean scope required string
Scope defines the scope of the resource
scope required string patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object mappings required object
Mappings for Namespace and Object
mappings required object byName required object
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster:
byName:
"foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName required object volumeSnapshotClasses required object
VolumeSnapshotClasses defines if volume snapshot classes created within the virtual cluster should get synced to the host cluster.
volumeSnapshotClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object configMaps required object
ConfigMaps defines if config maps in the host should get synced to the virtual cluster.
configMaps required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object mappings required object
Mappings for Namespace and Object
mappings required object byName required object {}
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster:
byName:
"foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName required object {} secrets required object
Secrets defines if secrets in the host should get synced to the virtual cluster.
secrets required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object mappings required object
Mappings for Namespace and Object
mappings required object byName required object {}
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name.
There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster:
byName:
"foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name:
byName:
"foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name:
byName:
"foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster:
byName:
"/my-object": "my-virtual-namespace/my-object"
byName required object {} deviceClasses required object
DeviceClasses defines if device classes in the host should get synced to the virtual cluster
deviceClasses required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false patches required object[]
Patches patch the resource according to the provided specification.
patches required object[] path required string
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
path required string expression required string
Expression transforms the value according to the given JavaScript expression.
expression required string reverseExpression required string
ReverseExpression transforms the value according to the given JavaScript expression.
reverseExpression required string reference required object
Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode
automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with
other names, in multi-namespace mode this will not translate the name.
reference required object apiVersion required string
APIVersion is the apiVersion of the referenced object.
apiVersion required string apiVersionPath required string
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
apiVersionPath required string kind required string
Kind is the kind of the referenced object.
kind required string kindPath required string
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
kindPath required string namePath required string
NamePath is the optional relative path to the reference name within the object.
namePath required string namespacePath required string
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the
metadata.namespace path of the object.
namespacePath required string labels required object
Labels treats the path value as a labels selector.
labels required object integrations required object
Integrations holds config for vCluster integrations with other operators or tools running on the host cluster
integrations required object metricsServer required object
MetricsServer reuses the metrics server from the host cluster within the vCluster.
metricsServer required object enabled required boolean false
Enabled signals the metrics server integration should be enabled.
enabled required boolean false apiService required object
APIService holds information about where to find the metrics-server service. Defaults to metrics-server/kube-system.
apiService required object service required object
Service is a reference to the service for the API server.
service required object nodes required boolean true
Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.
nodes required boolean true pods required boolean true
Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
pods required boolean true kubeVirt required object
KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
kubeVirt required object enabled required boolean false
Enabled signals if the integration should be enabled
enabled required boolean false apiService required object
APIService holds information about where to find the virt-api service. Defaults to virt-api/kubevirt.
apiService required object service required object
Service is a reference to the service for the API server.
service required object webhook required object
Webhook holds configuration for enabling the webhook within the vCluster
webhook required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true sync required object
Sync holds configuration on what resources to sync
sync required object dataVolumes required object
If DataVolumes should get synced
dataVolumes required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false virtualMachineInstanceMigrations required object
If VirtualMachineInstanceMigrations should get synced
virtualMachineInstanceMigrations required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true virtualMachineInstances required object
If VirtualMachineInstances should get synced
virtualMachineInstances required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true virtualMachines required object
If VirtualMachines should get synced
virtualMachines required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true externalSecrets required object
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster.
- ExternalSecrets will be synced from the virtual cluster to the host cluster.
- SecretStores will be synced from the virtual cluster to the host cluster and then bi-directionally.
- ClusterSecretStores will be synced from the host cluster to the virtual cluster.
externalSecrets required object enabled required boolean false
Enabled defines whether the external secret integration is enabled or not
enabled required boolean false version required string
Version defines the version of the external secrets operator to use. If empty, the storage version will be used.
version required string webhook required object
Webhook defines whether the host webhooks are reused or not
webhook required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false sync required object
Sync defines the syncing behavior for the integration
sync required object toHost required object
ToHost defines what resources are synced from the virtual cluster to the host
toHost required object externalSecrets required object
ExternalSecrets allows to configure if only a subset of ExternalSecrets matching a label selector should get synced from the virtual cluster to the host cluster.
externalSecrets required object stores required object
Stores defines if secret stores should get synced from the virtual cluster to the host cluster and then bi-directionally.
stores required object certManager required object
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster.
- Certificates and Issuers will be synced from the virtual cluster to the host cluster.
- ClusterIssuers will be synced from the host cluster to the virtual cluster.
certManager required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false sync required object
Sync contains advanced configuration for syncing cert-manager resources.
sync required object toHost required object
toHost required object istio required object
Istio syncs DestinationRules, Gateways and VirtualServices from virtual cluster to the host.
istio required object enabled required boolean false
Enabled defines if this option should be enabled.
enabled required boolean false networking required object
Networking options related to the virtual cluster.
networking required object serviceCIDR required string
ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.
serviceCIDR required string podCIDR required string 10.244.0.0/16
PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.
podCIDR required string 10.244.0.0/16 replicateServices required object
ReplicateServices allows replicating services from the host within the virtual cluster or the other way around.
replicateServices required object toHost required object[]
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are
synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace
are required.
toHost required object[] fromHost required object[]
FromHost defines the services that should get synced from the host to the virtual cluster.
fromHost required object[] resolveDNS required object[]
ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
resolveDNS required object[] hostname required string
Hostname is the hostname within the vCluster that should be resolved from.
hostname required string service required string
Service is the virtual cluster service that should be resolved from.
service required string namespace required string
Namespace is the virtual cluster namespace that should be resolved from.
namespace required string target required object
Target is the DNS target that should get mapped to
target required object hostname required string
Hostname to use as a DNS target
hostname required string ip required string
IP to use as a DNS target
ip required string hostService required string
HostService to target, format is hostNamespace/hostService
hostService required string hostNamespace required string
HostNamespace to target
hostNamespace required string vClusterService required string
VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService
vClusterService required string advanced required object
Advanced holds advanced network options.
advanced required object clusterDomain required string cluster.local
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
clusterDomain required string cluster.local fallbackHostCluster required boolean false
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without
any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
fallbackHostCluster required boolean false proxyKubelets required object
ProxyKubelets allows rewriting certain metrics and stats from the Kubelet to "fake" this for applications such as
prometheus or other node exporters.
proxyKubelets required object byHostname required boolean true
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work
for all applications, e.g. Prometheus requires a node IP.
byHostname required boolean true byIP required boolean true
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to
route traffic.
byIP required boolean true policies required object
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies required object networkPolicy required object
NetworkPolicy specifies network policy options.
networkPolicy required object enabled required boolean false
Enabled defines if the network policy should be deployed by vCluster.
enabled required boolean false annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} fallbackDns required string 8.8.8.8
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
fallbackDns required string 8.8.8.8 controlPlane required object
ControlPlane network policy rules
controlPlane required object ingress required object[]
Ingress rules for the vCluster control plane.
ingress required object[] ports required object[]
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] protocol required string
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string port required object
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object endPort required integer
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer from required object[]
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from required object[] podSelector required object
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object namespaceSelector required object
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ipBlock required object
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object cidr required string
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string except required string[]
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] egress required object[]
Egress rules for the vCluster control plane.
egress required object[] ports required object[]
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] protocol required string
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string port required object
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object endPort required integer
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer to required object[]
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to required object[] podSelector required object
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object namespaceSelector required object
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ipBlock required object
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object cidr required string
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string except required string[]
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] workload required object
Workload network policy rules
workload required object publicEgress required object
PublicEgress holds the public outgoing connections options for the vCluster workloads.
publicEgress required object enabled required boolean true
Enabled defines if the workload public egress should be enabled or disabled.
enabled required boolean true cidr required string 0.0.0.0/0
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string 0.0.0.0/0 except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16]
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ingress required object[]
Ingress rules for the vCluster workloads.
ingress required object[] ports required object[]
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] protocol required string
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string port required object
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object endPort required integer
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer from required object[]
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from required object[] podSelector required object
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object namespaceSelector required object
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ipBlock required object
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object cidr required string
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string except required string[]
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] egress required object[]
Egress rules for the vCluster workloads.
egress required object[] ports required object[]
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] protocol required string
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string port required object
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object endPort required integer
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer to required object[]
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to required object[] podSelector required object
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object namespaceSelector required object
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ipBlock required object
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object cidr required string
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string except required string[]
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] podSecurityStandard required string
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard required string resourceQuota required object
ResourceQuota specifies resource quota options.
resourceQuota required object enabled required string|boolean auto
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled,
the resourceQuota will be enabled as well.
enabled required string|boolean auto quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0]
Quota are the quota options
quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] scopeSelector required object map[matchExpressions:[]]
ScopeSelector is the resource quota scope selector
scopeSelector required object map[matchExpressions:[]] scopes required string[] []
Scopes are the resource quota scopes
scopes required string[] [] annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} limitRange required object
LimitRange specifies limit range options.
limitRange required object enabled required string|boolean auto
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled,
the limitRange will be enabled as well.
enabled required string|boolean auto default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi]
Default are the default limits for the limit range
default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi]
DefaultRequest are the default request options for the limit range
defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] max required object {}
Max are the max limits for the limit range
max required object {} min required object {}
Min are the min limits for the limit range
min required object {} annotations required object {}
Annotations are extra annotations for this resource.
annotations required object {} labels required object {}
Labels are extra labels for this resource.
labels required object {} centralAdmission required object
CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission required object validatingWebhooks required object[]
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
validatingWebhooks required object[] kind required string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string apiVersion required string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string metadata required object
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object name required string
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string labels required object
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object annotations required object
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object webhooks required object[]
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] name required string
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string clientConfig required object
ClientConfig defines how to communicate with the hook.
clientConfig required object url required string
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string scheme://host:port/path). Exactly one of url or service
must be specified.service required object
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object service or url must be specified.service.namespace required string
Namespace is the namespace of the service.
namespace required string name required string
Name is the name of the service.
name required string path required string
Path is an optional URL path which will be sent in any request to
this service.
path required string port required integer
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer port should be a valid port number (1-65535, inclusive).caBundle required string
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string rules required object[]
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] failurePolicy required string
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string matchPolicy required string
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string namespaceSelector required object
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object objectSelector required object
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object sideEffects required string
SideEffects states whether this webhook has side effects.
sideEffects required string timeoutSeconds required integer
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer admissionReviewVersions required string[]
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] AdmissionReview
versions the Webhook expects.matchConditions required object[]
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] mutatingWebhooks required object[]
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
mutatingWebhooks required object[] kind required string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string apiVersion required string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string metadata required object
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object name required string
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string labels required object
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object annotations required object
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object webhooks required object[]
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] reinvocationPolicy required string
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
reinvocationPolicy required string name required string
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string clientConfig required object
ClientConfig defines how to communicate with the hook.
clientConfig required object url required string
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string scheme://host:port/path). Exactly one of url or service
must be specified.service required object
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object service or url must be specified.service.namespace required string
Namespace is the namespace of the service.
namespace required string name required string
Name is the name of the service.
name required string path required string
Path is an optional URL path which will be sent in any request to
this service.
path required string port required integer
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer port should be a valid port number (1-65535, inclusive).caBundle required string
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string rules required object[]
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] failurePolicy required string
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string matchPolicy required string
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string namespaceSelector required object
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object objectSelector required object
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object sideEffects required string
SideEffects states whether this webhook has side effects.
sideEffects required string timeoutSeconds required integer
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer admissionReviewVersions required string[]
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] AdmissionReview
versions the Webhook expects.matchConditions required object[]
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] rbac required object
RBAC options for the virtual cluster.
rbac required object role required object
Role holds virtual cluster role configuration
role required object clusterRole required object
ClusterRole holds virtual cluster cluster role configuration
clusterRole required object enabled required string|boolean auto
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
enabled required string|boolean auto extraRules required object[] []
ExtraRules will add rules to the cluster role.
extraRules required object[] [] overwriteRules required object[] []
OverwriteRules will overwrite the cluster role rules completely.
overwriteRules required object[] [] sleep required object
Sleep holds configuration for automatically putting the virtual cluster to sleep.
sleep required object auto required object
Auto holds automatic sleep configuration
auto required object afterInactivity required string
AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep
afterInactivity required string schedule required string
Schedule represents a cron schedule for when to sleep workloads
schedule required string exclude required object
Exclude holds configuration for labels that, if present, will prevent a workload from going to sleep
exclude required object wakeup required object
Wakeup holds configuration for waking the vCluster on a schedule
wakeup required object schedule required string
schedule required string timezone required string
Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC.
Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation).
The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".
timezone required string plugins required {key: object}
Define which vCluster plugins to load.
plugins required {key: object} name required string
Name is the name of the init-container and NOT the plugin name
name required string image required string
Image is the container image that should be used for the plugin
image required string imagePullPolicy required string
ImagePullPolicy is the pull policy to use for the container image
imagePullPolicy required string config required object
Config is the plugin config to use. This can be arbitrary config used for the plugin.
config required object rbac required object
RBAC holds additional rbac configuration for the plugin
rbac required object role required object
Role holds extra virtual cluster role permissions for the plugin
role required object extraRules required object[]
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules required object[] verbs required string[]
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs required string[] apiGroups required string[]
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups required string[] resources required string[]
Resources is a list of resources this rule applies to. '*' represents all resources.
resources required string[] resourceNames required string[]
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames required string[] nonResourceURLs required string[]
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs required string[] clusterRole required object
ClusterRole holds extra virtual cluster cluster role permissions required for the plugin
clusterRole required object extraRules required object[]
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
extraRules required object[] verbs required string[]
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
verbs required string[] apiGroups required string[]
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of
the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
apiGroups required string[] resources required string[]
Resources is a list of resources this rule applies to. '*' represents all resources.
resources required string[] resourceNames required string[]
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
resourceNames required string[] nonResourceURLs required string[]
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path
Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
nonResourceURLs required string[] command required string[]
Command is the command that should be used for the init container
command required string[] args required string[]
Args are the arguments that should be used for the init container
args required string[] securityContext required object
SecurityContext is the container security context used for the init container
securityContext required object resources required object
Resources are the container resources used for the init container
resources required object volumeMounts required object[]
VolumeMounts are extra volume mounts for the init container
volumeMounts required object[] experimental required object
Experimental features for vCluster. Configuration here might change, so be careful with this.
experimental required object deploy required object
Deploy allows you to configure manifests and Helm charts to deploy within the host or virtual cluster.
deploy required object host required object
Host defines what manifests to deploy into the host cluster
host required object vcluster required object
VCluster defines what manifests and charts to deploy into the vCluster
vcluster required object manifests required string
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
manifests required string manifestsTemplate required string
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
manifestsTemplate required string helm required object[]
Helm are Helm charts that should get deployed into the virtual cluster
helm required object[] chart required object
Chart defines what chart should get deployed.
chart required object release required object
Release defines what release should get deployed.
release required object values required string
Values defines what values should get used.
values required string timeout required string
Timeout defines the timeout for Helm
timeout required string bundle required string
Bundle allows to compress the Helm chart and specify this instead of an online chart
bundle required string syncSettings required object
SyncSettings are advanced settings for the syncer controller.
syncSettings required object setOwner required boolean true
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
setOwner required boolean true hostMetricsBindAddress required string
HostMetricsBindAddress is the bind address for the local manager
hostMetricsBindAddress required string virtualMetricsBindAddress required string
VirtualMetricsBindAddress is the bind address for the virtual manager
virtualMetricsBindAddress required string virtualClusterKubeConfig required object
VirtualClusterKubeConfig allows you to override distro specifics and specify where vCluster will find the required certificates and vCluster config.
Deprecated: Removed in 0.29.0.
virtualClusterKubeConfig required object kubeConfig required string
KubeConfig is the virtual cluster kubeconfig path.
kubeConfig required string serverCAKey required string
ServerCAKey is the server ca key path.
serverCAKey required string serverCACert required string
ServerCAKey is the server ca cert path.
serverCACert required string clientCACert required string
ServerCAKey is the client ca cert path.
clientCACert required string requestHeaderCACert required string
RequestHeaderCACert is the request header ca cert path.
requestHeaderCACert required string denyProxyRequests required object[]
DenyProxyRequests denies certain requests in the vCluster proxy.
denyProxyRequests required object[] name required string
The name of the check.
name required string namespaces required string[]
Namespace describe a list of namespaces that will be affected by the check.
An empty list means that all namespaces will be affected.
In case of ClusterScoped rules, only the Namespace resource is affected.
namespaces required string[] rules required object[]
Rules describes on which verbs and on what resources/subresources the webhook is enforced.
The webhook is enforced if it matches any Rule.
The version of the request must match the rule version exactly. Equivalent matching is not supported.
rules required object[] apiGroups required string[]
APIGroups is the API groups the resources belong to. '*' is all groups.
apiGroups required string[] apiVersions required string[]
APIVersions is the API versions the resources belong to. '*' is all versions.
apiVersions required string[] resources required string[]
Resources is a list of resources this rule applies to.
resources required string[] scope required string
Scope specifies the scope of this rule.
scope required string operations required string[]
Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch.
For non-resource requests, this is the lowercase http verb.
If '*' is present, the length of the slice must be one.
operations required string[] excludedUsers required string[]
ExcludedUsers describe a list of users for which the checks will be skipped.
Impersonation attempts on these users will still be subjected to the checks.
excludedUsers required string[] proxy required object
Proxy enables vCluster-to-vCluster proxying of resources
proxy required object customResources required {key: object}
CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
customResources required {key: object} enabled required boolean
Enabled defines if this resource proxy should be enabled
enabled required boolean targetVirtualCluster required object
TargetVirtualCluster is the target virtual cluster for the custom resource proxy
targetVirtualCluster required object accessResources required string
AccessResources defines which resources should be accessible in the proxy.
accessResources required string docker required object
Docker allows you to configure Docker related settings when deploying a vCluster using Docker.
docker required object image required string
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
image required string ports required string[]
Ports defines extra port mappings to be added to the container.
ports required string[] volumes required string[]
Volumes defines extra volumes to be added to the container.
volumes required string[] env required string[]
Env defines extra environment variables to be added to the container. Use key=value.
env required string[] args required string[]
Args defines extra arguments to be added to the docker run command of the container.
args required string[] enabled required boolean
Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.
enabled required boolean network required string
Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.
network required string nodes required object[]
Nodes defines the nodes of the vCluster.
nodes required object[] image required string
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
image required string ports required string[]
Ports defines extra port mappings to be added to the container.
ports required string[] volumes required string[]
Volumes defines extra volumes to be added to the container.
volumes required string[] env required string[]
Env defines extra environment variables to be added to the container. Use key=value.
env required string[] args required string[]
Args defines extra arguments to be added to the docker run command of the container.
args required string[] name required string
Name defines the name of the node. If not specified, a random name will be generated.
name required string registryProxy required object
Defines if docker images should be pulled from the host docker daemon. This prevents pulling images again and allows to
use purely local images. Only works if containerd image storage is used. For more information, see https://docs.docker.com/engine/storage/containerd
registryProxy required object enabled required boolean true
Enabled defines if this option should be enabled.
enabled required boolean true loadBalancer required object
Defines if vCluster should configure load balancer services inside the vCluster. This might require
sudo access on the host cluster for docker desktop or rancher desktop on macos.
loadBalancer required object platform required object
Platform holds vCluster Platform specific configuration.
platform required object apiKey required object
APIKey defines where to find the platform access key and host. By default, vCluster will search in the following locations in this precedence:
- environment variable called LICENSE
- secret specified under platform.apiKey.secretName
- secret called "vcluster-platform-api-key" in the vCluster namespace
apiKey required object secretName required string
SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined.
secretName required string namespace required string
Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace
where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace.
namespace required string createRBAC required boolean
CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified
in the above namespace, if specified.
This defaults to true.
createRBAC required boolean project required string
Project specifies which platform project the vcluster should be imported to
project required string telemetry required object
Configuration related to telemetry gathered about vCluster usage.
telemetry required object snapshots required object
Snapshots holds configuration for automatic vCluster snapshots.
snapshots required object auto required object
Auto holds automatic snapshot configuration
auto required object schedule required string
Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken
schedule required string timezone required string
Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC.
Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation).
The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York".
timezone required string retention required object
Retention specifies how long snapshots will be kept
retention required object storage required object
Storage specifies where the snapshot will be stored
storage required object type required string
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets
type required string s3 required object
S3 holds configuration for storing snapshots in S3-compatible bucket
s3 required object oci required object
OCI holds configuration for storing snapshots in OCI image registries
oci required object container required object
Container holds configuration for storing snapshots as local files inside a vCluster container
container required object