"The Cloud Native Computing Foundation (CNCF) published a blog post discussing how vCluster, an open-source project by Loft Labs, addresses key multi-tenancy obstacles in Kubernetes clusters by enabling "virtual clusters" within a single host cluster. This approach enables multiple tenants to have isolated control planes while sharing underlying compute resources, thereby reducing overhead without compromising isolation. Traditional namespace-based isolation in Kubernetes often falls short when tenants need to deploy cluster-scoped resources like custom resource definitions (CRDs)"
"A virtual cluster runs as an application in a namespace on the host, but presents a full Kubernetes API server, controller manager, and datastore for tenant workloads. A syncer component ensures that pods, ConfigMaps, secrets, and services from the virtual cluster are mirrored into the host namespace, allowing them to execute as normal on the underlying host nodes. One of the most compelling use cases described is where teams require autonomy (for instance, to install CRDs)"
"Without virtual clusters, teams would face a set of unappealing options: deny the request and risk friction, give expanded rights and weaken isolation, manage the resources centrally and increase burden, or provide a dedicated cluster at higher cost and operational overhead. The vCluster model sidesteps the trade-off by letting tenants behave almost as if they had their own cluster while keeping the underlying resources shared and controlled by the platform team."
vCluster creates virtual clusters that run as applications in host namespaces, presenting a full Kubernetes API server, controller manager, and datastore for tenant workloads. A syncer mirrors pods, ConfigMaps, secrets, and services from virtual clusters into the host namespace so workloads run on underlying nodes. The model allows teams to install cluster-scoped resources like CRDs and maintain autonomy without granting cluster-wide admin rights, centrally managing resources, or provisioning dedicated clusters. Platform teams retain control of shared resources while reducing cost and operational overhead. Common platform tools such as Kyverno and Falco can be integrated for policy enforcement and runtime security monitoring.
Read at InfoQ
Unable to calculate read time
Collection
[
|
...
]