Networking configuration controls how the virtual cluster communicates with the host cluster and external services, including DNS resolution, service replication, and network policies.
Pod CIDR networking.podCIDR
string
default: "10.244.0.0/16"
Pod CIDR for the virtual cluster. This should only be set when privateNodes.enabled is true.
Service Replication networking.replicateServices
Configure service replication between virtual and host clusters. Services to sync from virtual cluster to host cluster. toHost : - from : my-namespace/my-service to : different-namespace/my-service
This requires additional RBAC permissions if syncing to a different namespace. Services to sync from host cluster to virtual cluster. fromHost : - from : host-namespace/database to : default/database
DNS Configuration Define extra DNS rules (PRO feature). Only works with embedded CoreDNS. resolveDNS : - hostname : "myservice.com" service : "my-namespace/my-service" target : namespace : "my-namespace" service : "my-service" - hostname : "*.mycompany.internal" target : hostname : "10.0.0.1"
Advanced networking options. clusterDomain
string
default: "cluster.local"
Kubernetes cluster domain to use within the virtual cluster.
Allow DNS fallback to the host cluster. Enables reaching host services without modification. Example: my-service.my-namespace from within vCluster will resolve to the host cluster service.
Rewrite kubelet metrics and stats for monitoring applications. Add a special vCluster hostname to nodes for reachability. May not work with all applications.
Create a separate service in the host cluster for every node to route traffic.
Control Plane Proxy Configure the vCluster control plane proxy for authentication and request interception. Address where vCluster exposes the proxy.
Port where vCluster exposes the proxy. Changing port is currently not supported.
Extra hostnames to sign the vCluster proxy certificate for. extraSANs : - "vcluster.example.com" - "*.vcluster.example.com"
Control Plane Service vCluster control plane service configuration. Enable the control plane service.
spec.type
string
default: "ClusterIP"
Service type. Options: ClusterIP, NodePort, LoadBalancer.
Node port where the fake kubelet is exposed (for NodePort service).
Node port where HTTPS is exposed (for NodePort service).
Control Plane Ingress vCluster control plane ingress configuration. Enable ingress for the control plane.
host
string
default: "my-host.com"
Hostname where vCluster will be reachable.
pathType
string
default: "ImplementationSpecific"
Path type for the ingress.
Ingress annotations. Default includes nginx ingress SSL passthrough annotations. annotations : nginx.ingress.kubernetes.io/backend-protocol : "HTTPS" nginx.ingress.kubernetes.io/ssl-passthrough : "true" nginx.ingress.kubernetes.io/ssl-redirect : "true"
TLS configuration for ingress.
Network Policies See RBAC Configuration for network policy configuration.
Example: LoadBalancer Service controlPlane : service : enabled : true spec : type : LoadBalancer annotations : service.beta.kubernetes.io/aws-load-balancer-type : "nlb"
Example: Ingress with TLS controlPlane : ingress : enabled : true host : vcluster.example.com annotations : cert-manager.io/cluster-issuer : "letsencrypt-prod" nginx.ingress.kubernetes.io/backend-protocol : "HTTPS" nginx.ingress.kubernetes.io/ssl-passthrough : "true" spec : tls : - hosts : - vcluster.example.com secretName : vcluster-tls
Example: Service Replication networking : replicateServices : # Expose virtual cluster service to host toHost : - from : default/webapp to : vcluster-ns/webapp # Make host services available in vCluster fromHost : - from : databases/postgres to : default/postgres - from : monitoring/prometheus to : monitoring/prometheus
Example: Custom DNS Resolution controlPlane : coredns : embedded : true # Required for resolveDNS networking : advanced : clusterDomain : "cluster.local" fallbackHostCluster : true resolveDNS : # Resolve custom domain to service - hostname : "api.myapp.internal" target : namespace : "default" service : "api-service" # Resolve wildcard domain to external IP - hostname : "*.external.com" target : hostname : "203.0.113.10"
Example: Kubelet Proxy Configuration networking : advanced : proxyKubelets : byHostname : true byIP : true
Example: Custom Certificate SANs controlPlane : proxy : bindAddress : "0.0.0.0" port : 8443 extraSANs : - "vcluster.prod.example.com" - "vcluster.dev.example.com" - "10.0.0.100"
Use Cases Multi-tenant Service Isolation Use service replication to expose specific services between tenants while maintaining isolation:
networking : replicateServices : fromHost : - from : shared-services/logging to : default/logging - from : shared-services/monitoring to : default/monitoring
External Service Access Make external services available via custom DNS:
networking : resolveDNS : - hostname : "database.company.internal" target : hostname : "10.100.0.50"
Expose vCluster Externally Use LoadBalancer or Ingress to expose the virtual cluster:
controlPlane : service : spec : type : LoadBalancer # OR ingress : enabled : true host : my-vcluster.example.com
