vcluster

module

v0.35.0-alpha.1 Latest Latest Go to latest Published: Apr 28, 2026 License: Apache-2.0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/loft-sh/vcluster

Links

Open Source Insights

README ¶

Tenant Clusters for Production Kubernetes and AI Infrastructure

Virtual control planes, real isolation — from a single node to 100K-GPU superclusters.

Website • Quickstart • Documentation • Blog • Slack

CNCF Certified Kubernetes — Distribution · Kubernetes AI Conformant (v1.35)

What is vCluster?

vCluster creates Tenant Clusters — fully isolated Kubernetes environments that run on top of a Control Plane Cluster, on dedicated infrastructure, or standalone on bare metal. Each tenant gets its own API server, CRDs, and RBAC, with a cluster experience indistinguishable from a dedicated Kubernetes cluster.

Built for production. Trusted in production. 40M+ Tenant Clusters deployed by teams at Adobe, CoreWeave, NVIDIA, Lintasarta, Atlan, Deloitte, and hundreds of AI clouds, AI factories, and Fortune 500 platform organizations.

CNCF Certified Kubernetes — Distribution and Kubernetes AI Conformant (v1.35) — every Tenant Cluster is upstream Kubernetes with no vendor lock‑in, validated for portable AI/ML workloads (training, inference, agentic).

The public-cloud experience, on your own infrastructure. Give every team the Kubernetes they need — with strict isolation, hardware-aware scheduling, and zero tenant sprawl — whether you run one region or 100K GPUs.

🚀 Quick Start

# Install vCluster CLI
brew install loft-sh/tap/vcluster

# Create a Tenant Cluster
vcluster create my-vcluster --namespace team-x

# Use kubectl as usual — you're now in your Tenant Cluster
kubectl get namespaces

Prerequisites: A running Kubernetes cluster and kubectl configured. Or go straight to bare metal with vCluster Standalone.

👉 Full Quickstart Guide

🐳 Run Locally with Docker — vind

No Kubernetes cluster? Run vCluster directly on Docker with vind (vCluster in Docker) — like kind, but with the full vCluster feature set (UI, sleep/resume, LoadBalancer, image cache):

vcluster create my-vcluster --driver docker
kubectl get namespaces

🎮 Try in the Browser

🎁 vCluster Free Tier

Real usage, not a gated demo. Unlimited Tenant Clusters up to 64 CPUs / 32 GPUs, Private Nodes, Auto Nodes, Standalone, and the Platform UI — for free. Get Started Free →

🆕 What's New

Version	Feature	Description
v0.33	Enterprise Reliability & Storage	Automatic leaf-cert regeneration, Azure Blob snapshot destinations, workload-level sleep annotations
v0.32	Docker Driver & DRA	Run vCluster on Docker, Dynamic Resource Allocation (DRA) for GPU workloads, in-place pod resizing
v0.31	Snapshots & Cross-Cluster APIs	Expanded snapshot/restore lifecycle, PDBs for Tenant Cluster control planes, cross-cluster resource proxying
v0.30	vCluster VPN & Netris Integration	Tailscale-powered overlay networking and automated hardware isolation via Netris
v0.27–v0.29	Architecture Foundations	Private Nodes (v0.27, CNI/CSI isolation), Auto Nodes (v0.28, Karpenter autoscaling), Standalone Mode (v0.29, bare metal / no Control Plane Cluster)

👉 Full Changelog

🎯 Use Cases

Use Case	Description	Learn More
AI Factory	Run AI on-prem where your data and GPUs live. Give every team the GPU access they need without multiplying infrastructure.	View →
AI Cloud Providers	Launch a hyperscaler-like Kubernetes experience for your GPU customers. Isolated, production-grade, in minutes.	View →
Internal GPU Platform	Maximize GPU utilization without sacrificing isolation. Self-service Kubernetes for AI/ML teams.	View →
Bare Metal Kubernetes	Run production Kubernetes on bare metal with zero VMs. Isolation without expensive virtualization overhead.	View →
Software Vendors	Ship Kubernetes-native products. Each customer gets their own isolated Tenant Cluster.	View →
Environments & Cost Savings	Consolidate clusters, pause idle workloads with sleep mode, and cut Kubernetes cost at scale.	View →

🏗️ Architectures

vCluster supports multiple deployment architectures. Each builds on the previous, offering progressively stronger isolation — from dense shared infrastructure to fully standalone bare metal.

Architecture Comparison

	Shared Nodes	Dedicated Nodes	Private Nodes	Standalone
Control Plane Cluster	Required	Required	Required	Not Required
Node Isolation	❌	✅	✅	✅
CNI/CSI Isolation	❌	❌	✅	✅
Bare Metal Ready	—	—	✅	✅
Best For	Dev/test, density	Production tenants	Compliance, GPU	AI factories, edge

👉 Full Architecture Guide

Minimal Configuration

🔹 Shared Nodes — Maximum density, minimum cost

Tenant Clusters share the Control Plane Cluster's nodes. Workloads run as regular pods in a namespace.

sync:
  fromHost:
    nodes:
      enabled: false  # Uses pseudo nodes

🔹 Dedicated Nodes — Isolated compute on labeled node pools

Tenant Clusters get their own set of labeled nodes on the Control Plane Cluster. Workloads are isolated but still managed by the Control Plane Cluster.

sync:
  fromHost:
    nodes:
      enabled: true
      selector:
        labels:
          tenant: my-tenant

🔹 Private Nodes ^v0.27+ — Full CNI/CSI isolation

External nodes join the Tenant Cluster directly with their own CNI, CSI, and networking stack. Complete workload isolation from the Control Plane Cluster.

privateNodes:
  enabled: true
controlPlane:
  service:
    spec:
      type: NodePort

🔹 vCluster Standalone ^v0.29+ — No Control Plane Cluster required

Run vCluster without any Control Plane Cluster. Deploy the Virtual Control Plane directly on bare metal or VMs. The highest level of isolation — vCluster becomes the cluster.

controlPlane:
  standalone:
    enabled: true
    joinNode:
      enabled: true
privateNodes:
  enabled: true

⚡ Auto Nodes ^v0.28+ — Karpenter-powered dynamic autoscaling

Automatically provision and deprovision private nodes based on workload demand. Works across public cloud, private cloud, hybrid, and bare metal environments.

autoNodes:
  enabled: true
  nodeProvider: <provider>
privateNodes:
  enabled: true

✨ Key Features

Feature	Description
🎛️ Isolated Virtual Control Plane	Each Tenant Cluster gets its own API server, controller manager, and data store — complete Kubernetes API isolation
🔗 Shared Platform Stack	Leverage the Control Plane Cluster's CNI, CSI, ingress, and other infrastructure — no duplicate platform components
🔒 Strong Tenant Isolation	Tenants get admin access inside their Tenant Cluster while having minimal permissions on the Control Plane Cluster
🔄 Resource Syncing	Bidirectional sync of any Kubernetes resource — pods, services, secrets, configmaps, CRDs, and more
💤 Sleep Mode	Pause inactive Tenant Clusters to save resources. Instant wake when needed
🖥️ Bare Metal & Standalone	Run with or without a Control Plane Cluster. Purpose-built for AI factories and on-prem GPU fleets
🧩 Integrations	Native support for cert-manager, external-secrets, KubeVirt, Istio, and metrics-server
📊 High Availability	Multiple replicas with leader election. Embedded etcd or external databases (PostgreSQL, MySQL, RDS)

🌐 The vCluster Platform

vCluster is the foundation of a broader platform for running production Kubernetes and AI infrastructure on your own hardware — from a single rack to 100K-GPU supercomputers.

Product	What it does
vCluster	Tenant Clusters — Virtual Control Planes with API, data, and (optionally) network isolation
vNode	Runtime-level tenant isolation. Kernel-enforced boundaries (seccomp, cgroups, namespaces, AppArmor) without VM overhead
vMetal	Zero-touch bare metal provisioning for GPU fleets. Turns GPU racks into a cloud platform
Netris (integration)	Hardware-enforced network isolation via programmatic VLANs, VRFs, and ACLs

Together these deliver the four layers of an AI factory: Certified Stacks → Tenant Isolation → Tenant Clusters → GPU Infrastructure Operations — the same pattern used to run production AI on hundreds of GPU clouds and Fortune 500 on-prem platforms.

🏢 Trusted By

Atlan 100 → 1 clusters	Aussie Broadband 99% faster provisioning	CoreWeave GPU cloud at scale
Lintasarta 170+ Tenant Clusters in prod	Fortune 500 Insurance 70% reduction in Kubernetes cost	Scanmetrix 99% faster deployments
Deloitte Enterprise K8s platform	Ada 10x Developer Productivity	Trade Connectors 50% reduction in K8s ops cost

Also used by: NVIDIA, ABBYY, Precisely, Shipwire, and many more — with 50+ GPU clouds and Fortune 500s running vCluster in production.

👉 View All Case Studies

📚 Learn More

🎤 Conference Talks

Event	Speaker	Title	Link
KubeCon NA 2025 (Keynote)	Lukas Gentele	Autoscaling GPU Clusters Anywhere — Hyperscalers, Neoclouds & Baremetal	Watch
Platform Engineering Day NA 2025 (Keynote)	Saiyam Pathak	AI-Ready Platforms: Scaling Teams Without Scaling Costs	Watch
Rejekts NA 2025	Hrittik Roy, Saiyam Pathak	Beyond the Default Scheduler: Navigating GPU MultiTenancy in AI Era	Watch
KubeCon EU 2025	Paco Xu, Saiyam Pathak	A Huge Cluster or Multi-Clusters? Identifying the Bottleneck	Watch
HashiConf 2025	Scott McAllister	GPU sharing done right: Secrets, security, and scaling with Vault and vCluster	Watch
FOSDEM 2025	Hrittik Roy, Saiyam Pathak	Accelerating CI Pipelines: Rapid Kubernetes Testing with vCluster	Watch
KubeCon India 2024 (Keynote)	Saiyam Pathak	From Outage To Observability: Lessons From a Kubernetes Meltdown	Watch
CNCF Book Club 2024	Marc Boorshtein	Kubernetes - An Enterprise Guide (vCluster)	Watch
KCD NYC 2024	Lukas Gentele	Tenant Autonomy & Isolation In Multi-Tenant Kubernetes Clusters	Watch
KubeCon EU 2023	Ilia Medvedev, Kostis Kapelonis	How We Securely Scaled Multi-Tenancy with VCluster, Crossplane, and Argo CD	Watch
KubeCon NA 2022	Joseph Sandoval, Dan Garfield	How Adobe Planned For Scale With Argo CD, Cluster API, And VCluster	Watch
KubeCon NA 2022	Whitney Lee, Mauricio Salatino	What a RUSH! Let's Deploy Straight to Production!	Watch
TGI Kubernetes 2022	TGI	TGI Kubernetes 188: vCluster	Watch
Mirantis Tech Talks 2022	Mirantis	Multi-tenancy & Isolation using Virtual Clusters (vCluster) in K8s	Watch
Solo Webinar 2022	Rich Burroughs, Fabian Keller	Speed your Istio development environment with vCluster	Watch
KubeCon NA 2021	Lukas Gentele	Beyond Namespaces: Virtual Clusters are the Future of Multi-Tenancy	Watch

🎬 Community Voice

Channel	Speaker	Title	Link
TeKanAid 2024	TeKanAid	Getting Started with vCluster: Build Your IDP with Backstage, Crossplane, and ArgoCD	Watch
Rawkode 2021	David McKay, Lukas Gentele	Hands on Introduction to vCluster	Watch
Kubesimplify 2021	Saiyam Pathak, Lukas Gentele	Let's Learn vCluster	Watch
TechWorld with Nana 2021	Nana	Build your Self-Service Kubernetes Platform with Virtual Clusters	Watch
DevOps Toolkit 2021	Viktor Farcic	How To Create Virtual Kubernetes Clusters	Watch

👉 YouTube Channel • Blog

🤝 Contributing

We welcome contributions! Check out our Contributing Guide to get started.

🔗 Links

Resource	Link
📖 Documentation	vcluster.com/docs
💬 Slack Community	slack.loft.sh
🌐 Website	vcluster.com
🐦 X (Twitter)	@vcluster
💼 LinkedIn	vCluster
💬 Chat with Expert	Start Chat

📜 License

vCluster is licensed under the Apache 2.0 License.

Made with ❤️ by the vCluster community.

⭐ Star us on GitHub — it helps!

Directories ¶

Path	Synopsis
cmd
vcluster command
vcluster/cmd
vcluster/cmd/certs
vcluster/cmd/debug
vcluster/cmd/debug/etcd
vcluster/cmd/debug/mappings
vcluster/cmd/node
vcluster/cmd/snapshot
vclusterctl command
vclusterctl/cmd
vclusterctl/cmd/certs
vclusterctl/cmd/credits
vclusterctl/cmd/debug
vclusterctl/cmd/node
vclusterctl/cmd/platform
vclusterctl/cmd/platform/add
vclusterctl/cmd/platform/backup
vclusterctl/cmd/platform/connect
vclusterctl/cmd/platform/create
vclusterctl/cmd/platform/delete
vclusterctl/cmd/platform/get
vclusterctl/cmd/platform/list
vclusterctl/cmd/platform/set
vclusterctl/cmd/platform/share
vclusterctl/cmd/platform/sleep
vclusterctl/cmd/platform/wakeup
vclusterctl/cmd/registry
vclusterctl/cmd/snapshot
vclusterctl/cmd/telemetry
vclusterctl/cmd/token
vclusterctl/cmd/use
config
legacyconfig
e2e-next
clusters Package clusters defines shared cluster infrastructure for e2e tests.	Package clusters defines shared cluster infrastructure for e2e tests.
constants
init
labels Package labels lists the Ginkgo labels used across the e2e-next suite.	Package labels lists the Ginkgo labels used across the e2e-next suite.
setup
setup/lazyvcluster Package lazyvcluster wraps e2e-framework's vcluster.Create with YAML template rendering and the shared DefaultVClusterOptions bag.	Package lazyvcluster wraps e2e-framework's vcluster.Create with YAML template rendering and the shared DefaultVClusterOptions bag.
setup/template
test_core/coredns Package coredns contains CoreDNS resolution tests.	Package coredns contains CoreDNS resolution tests.
test_core/export_kubeconfig
test_core/lifecycle Package lifecycle contains vCluster CLI lifecycle tests (connect, pause/resume, etc.).	Package lifecycle contains vCluster CLI lifecycle tests (connect, pause/resume, etc.).
test_core/sync Package sync contains core resource sync tests (pods, PVCs, services, etc.).	Package sync contains core resource sync tests (pods, PVCs, services, etc.).
test_core/sync/fromhost Package fromhost contains fromHost sync tests.	Package fromhost contains fromHost sync tests.
test_deploy Package test_deploy contains deployment tests (Helm charts, init manifests).	Package test_deploy contains deployment tests (Helm charts, init manifests).
test_integration/metricsproxy Package metricsproxy contains metrics proxy integration tests.	Package metricsproxy contains metrics proxy integration tests.
test_integration/plugin Package plugin contains legacy vCluster plugin tests (v1 and v2).	Package plugin contains legacy vCluster plugin tests (v1 and v2).
test_modes/nodesync Package nodesync contains all-nodes sync mode tests.	Package nodesync contains all-nodes sync mode tests.
test_modes/scheduler Package scheduler contains virtual scheduler tests.	Package scheduler contains virtual scheduler tests.
test_security/certs Package certs contains certificate rotation and expiration tests.	Package certs contains certificate rotation and expiration tests.
test_security/isolation Package isolation contains isolation mode tests.	Package isolation contains isolation mode tests.
test_security/kubeletproxy Package kubeletproxy contains kubelet proxy access control tests.	Package kubeletproxy contains kubelet proxy access control tests.
test_security/rootless Package rootless contains rootless mode tests.	Package rootless contains rootless mode tests.
test_security/webhook Package webhook contains admission webhook tests.	Package webhook contains admission webhook tests.
test_storage/snapshot Package snapshot contains snapshot and restore tests.	Package snapshot contains snapshot and restore tests.
hack
assets
assets/cmd command
compat-matrix command
schema command
pkg
apis
apiservice
authentication/bearertoken
authentication/delegatingauthenticator
authentication/platformauthenticator
authorization/allowall
authorization/delegatingauthorizer
authorization/impersonationauthorizer
authorization/kubeletauthorizer
certs
cli
cli/certs
cli/completion
cli/config
cli/destroy
cli/email
cli/find
cli/flags
cli/flags/connect
cli/flags/create
cli/flags/delete
cli/localkubernetes
cli/oci
cli/podprinter
cli/printhelper
cli/standalone
cli/start
cli/util
config
constants
controllers
controllers/coredns
controllers/deploy
controllers/k8sdefaultendpoint
controllers/podsecurity
controllers/resources
controllers/resources/configmaps
controllers/resources/csidrivers
controllers/resources/csinodes
controllers/resources/csistoragecapacities
controllers/resources/endpoints
controllers/resources/endpointslices
controllers/resources/events
controllers/resources/ingressclasses
controllers/resources/ingresses
controllers/resources/namespaces
controllers/resources/networkpolicies
controllers/resources/nodes
controllers/resources/nodes/nodeservice
controllers/resources/persistentvolumeclaims
controllers/resources/persistentvolumes
controllers/resources/poddisruptionbudgets
controllers/resources/pods
controllers/resources/pods/scheduling
controllers/resources/pods/token
controllers/resources/pods/translate
controllers/resources/priorityclasses
controllers/resources/runtimeclasses
controllers/resources/secrets
controllers/resources/serviceaccounts
controllers/resources/services
controllers/resources/storageclasses
controllers/resources/volumesnapshotclasses
controllers/resources/volumesnapshotcontents
controllers/resources/volumesnapshots
controllers/servicesync
coredns
docker
embed
etcd
helm
integrations
integrations/metricsserver
k8s
kube
kubeadm
leaderelection
lifecycle
log
mappings
mappings/generic
mappings/resources
mappings/store
mappings/store/verify
patcher
platform
platform/backup
platform/clihelper
platform/defaults
platform/kube
platform/kubeconfig
platform/random
platform/sleepmode
plugin
plugin/types
plugin/v1
plugin/v1/remote
plugin/v2
plugin/v2/pluginv2
pro
projectutil
scheme
server
server/cert
server/filters
server/handler
server/types
setup
setup/config
snapshot
snapshot/azure
snapshot/container
snapshot/oci
snapshot/options
snapshot/pod
snapshot/s3
snapshot/types
snapshot/volumes
snapshot/volumes/csi
snapshot/volumes/csi/deploy
specialservices
strvals
syncer
syncer/synccontext
syncer/testing
syncer/translator
syncer/types
telemetry
upgrade
util
util/applier
util/archive
util/base36
util/blockingcacheclient
util/certhelper
util/clienthelper
util/clihelper
util/command
util/commandwriter
util/compress
util/debugshell
util/encoding
util/helmdownloader
util/http
util/kubeconfig
util/log
util/loghelper
util/maps
util/namespaces
util/osutil
util/patch
util/pluginhookclient
util/podhelper
util/portforward
util/random
util/request
util/ringbuffer
util/serverhelper
util/serviceaccount
util/servicecidr
util/standalone
util/stringutil
util/testing
util/toleration
util/translate
util/websocketproxy Package websocketproxy is a reverse proxy for WebSocket connections.	Package websocketproxy is a reverse proxy for WebSocket connections.
test
framework

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL