DEVOPSdigest

Loft Labs announced that its open-source technology vcluster adds an isolated mode for virtual clusters which reduces the work required by administrators to isolate tenants in multi-tenant Kubernetes clusters.

Virtual clusters spun up with vcluster are logically isolated by means of having separate Kubernetes control planes but the workloads running inside these virtual clusters (pods and their containers) are not isolated by default.

Previously, any Kubernetes security mechanisms for vcluster workloads had to be created manually by the cluster administrators. Now, with vcluster’s isolated mode, a variety of Kubernetes security controls will be enabled and auto-configured without the need for manual configuration, including:

- Pod security standards (admission control policies)

- Resource quotas and limit ranges

- Network policies

Isolated mode enforces baseline workload isolation policies but administrators can harden these further and have full control over customizing everything to their security requirements.

“Before, admins had to add security constraints for virtual clusters themselves which added complexity and required ongoing maintenance. Now, with isolated mode, we as project maintainers provide a default set of security measures that we recommend as best practice for isolating virtual clusters,” said Lukas Gentele, Co-founder and CEO, Loft Labs. “Of course, admins can tweak isolation constraints to their use cases and to their organization’s security policies but we make it easier for them to kick the tires with vcluster while enforcing stricter security boundaries by default and right from the start.”

The vcluster open source software is growing quickly with more than 500,000 downloads and over 1,300 stars on GitHub in less than a year after its initial release. First launched in April 2021, vcluster is used to create lightweight Kubernetes clusters that run inside the namespaces of underlying Kubernetes clusters. Using virtual clusters solves the majority of multi-tenancy issues of Kubernetes because they offer:

- Better isolation than simple namespace-based multi-tenancy;

- Reduced cloud computing cost because virtual clusters are much more lightweight and resource-efficient than spinning up separate single-tenant clusters;

- Logical separation and encapsulation of application workloads from the underlying cluster’s shared infrastructure workloads (such as shared ingress controller or network plug-ins).

At the same time, virtual cluster users can expect that their virtual cluster behaves just like any regular Kubernetes cluster because vcluster is a certified Kubernetes distribution, which means that it passes all conformance tests that CNCF requires. Virtual clusters are often used as development environments when engineers are building, testing and debugging cloud-native software, but they are also frequently used as ephemeral environments for executing continuous integration/continuous delivery (CI/CD) pipelines.