Skip to main content

Control node IP visibility

Supported Configurations
Running the control plane as a container with:

When vCluster syncs real nodes from the host cluster, it obfuscates node IP addresses by default. This behavior protects sensitive information in multi-tenant environments while still providing node features.

Node IP obfuscation provides several benefits:

  • Security: Prevents exposure of host cluster network topology in multi-tenant environments.
  • Privacy: Protects sensitive infrastructure information from virtual cluster users.
  • Isolation: Maintains logical separation between virtual and host clusters.

Default behavior

By default, when you enable real node syncing:

Enable real node syncing
sync:
  fromHost:
    nodes:
      enabled: true

vCluster automatically replaces the actual node IP addresses with obfuscated values. For example, if a host node has IP 192.168.1.100, it appears in the virtual cluster with a generated IP like 10.0.0.1.

Control IP visibility with patches

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Remove IP information completely

To remove IP addresses entirely from synced nodes:

Remove IP addresses
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.addresses
        expression: |
          []

Advanced node information control

You can use patches to control other sensitive node information beyond IP addresses:

Hide system information

Hide system information
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.bootID
        expression: '""'
      - path: status.nodeInfo.systemUUID
        expression: '""'
      - path: status.nodeInfo.machineID
        expression: '""'

Selective field obfuscation

Selective obfuscation
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.osImage
        expression: '"Linux"'
      - path: status.nodeInfo.kernelVersion
        expression: '"Hidden"'

Use node selectors

When using node selectors with obfuscated IPs, focus on labels rather than IP-based selection:

Node selector with labels
sync:
  fromHost:
    nodes:
      enabled: true
      selector:
        labels:
          node-role.kubernetes.io/worker: "true"
          environment: "production"

This approach ensures your workloads can still be scheduled appropriately without relying on specific IP addresses.

Troubleshoot node IP issues

Verify obfuscation

To check if IP obfuscation is working:

  1. Compare node information between host and virtual clusters:
Check host cluster node
kubectl get nodes -o wide
Check virtual cluster node
vcluster connect my-vcluster -- kubectl get nodes -o wide
  1. Inspect node details:
Inspect node details
vcluster connect my-vcluster -- kubectl describe node <node-name>

Common issues

  • Networking problems: Some network policies or CNI plugins may require real IP addresses. Test thoroughly when modifying IP obfuscation.
  • Monitoring tools: Tools that rely on node IPs may need adjustment when IPs are obfuscated.
  • Service discovery: Services that use node IPs directly may require alternative approaches.

Best practices

  • Default to obfuscation: Keep IP obfuscation enabled unless you have specific requirements for real IPs.
  • Use labels: Rely on node labels rather than IPs for workload scheduling and management.
  • Document changes: Clearly document any modifications to default obfuscation behavior.
  • Test thoroughly: Verify that your applications work correctly with obfuscated IPs before production deployment.