loft-sh/vcluster v0.6.0-beta.0

on GitHub

Plugins

Plugins are a feature to extend the capabilities of vcluster. They allow you to add custom functionality, such as:

1. Syncing specific resources from or to the virtual clusters, including cluster scoped resources like cluster roles
2. Syncing custom resources from or to the virtual cluster
3. Deploying resources on virtual cluster startup, such as CRDs, applications, etc.
4. Manage resources and applications inside the host or virtual cluster
5. Enforcing certain restrictions on synced resources or extending the existing syncers of vcluster
6. Any other operator use case that could benefit from having access to the virtual cluster and the host cluster simultaneously.

For more information, please take a look at the vcluster docs.

Pause and Resume vclusters

vcluster is now able to pause and resume. Pausing a vcluster means to temporarily scale down the vcluster and delete all its created workloads on the host cluster. This can be useful to save computing resources used by vcluster workloads in the host cluster.

For more information please checkout the vcluster docs

Directly execute a command with vcluster connect in same shell

vcluster now allows command execution with vcluster context in command vcluster connect. For example:

# Retrieve vcluster namespaces
vcluster connect test -n test -- kubectl get ns

# New shell with vcluster kube context
vcluster connect test -n test -- bash

Expiring kube configs & automatic service account creation

vcluster is now able to automatically create service account tokens for generated kube configs, which allow you to easily create kube configs for other vcluster users that should not be cluster admin. For example:

# Create a kube config for a cluster viewer
vcluster connect my-vcluster -n my-vcluster --service-account viewer --cluster-role view

# OR: create a kube config for a cluster admin
vcluster connect my-vcluster -n my-vcluster --service-account admin --cluster-role cluster-admin

# OR: create a kube config that expires after an hour
vcluster connect my-vcluster -n my-vcluster --service-account viewer --cluster-role view --token-expiration 3600

This makes it also possible to use vcluster more easily without ingresses that require ssl passthrough. For more information please checkout the vcluster access docs and vcluster ingress docs

Support for VolumeSnapshots

vcluster now supports syncing of volume snapshots between the host and virtual cluster, that can be enabled via a values.yaml:

sync:
  volumesnapshots:
    enabled: true

and then used via:

vcluster create ... -f values.yaml

Support for PodDisruptionBudgets

vcluster now suports syncing of pod disruption budgets between the host and virtual cluster, that can be enabled via a values.yaml:

sync:
  poddisruptionbudgets:
    enabled: true

and then used via:

vcluster create ... -f values.yaml

Deprecations:

• .rbac.clusterRole.create, .rbac.role.extended - both helm values will be removed in a future version of vcluster. Their function is replaced by the new .sync.* helm values, which will ensure that minimal necessary RBAC role and clusterrole is created based on the resources that will be synced by vcluster.
• .rbac.role.create helm value will be removed in future version of vcluster and minimal standard role will always be created.
• --create-cluster-role flag of the vcluster create CLI command is deprecated for the same reasons as the .rbac.clusterRole.create helm value, as described above.

Other Changes

• cli: New flag --insecure for vcluster connect to create a kube config with insecure-skip-tls-verify
• cli: vcluster create can now use urls as value for -f flags
• cli: New command vcluster get service-cidr to print the current clusters service cidr
• cli: Notify the user about incompatible workdir file when running vcluster create
• cli: vcluster connect will now use a random port locally to avoid port conflicts if no --local-port flag is specified.
• cli: Added shortcut -s for global flag --silent
• cli: New eks distro (thanks @rothgar)
• syncer: Removed core dns tolerations (thanks @mtougeron)
• syncer: Make initial kube config secret creation non-fatal
• syncer: If phyiscal and virtual pod have a node assigned and they differ, delete the physical pod
• syncer: Sync service nodePort from host cluster instead of virtual cluster
• syncer: Only write coredns manifests to local file if environment variable "DEBUG" is "true"
• syncer: Use vcluster service as owner instead of deployment / statefulset, because we can set the controller: true in the owner reference for it, which allows node draining (drain #273)
• syncer: Fixed an issue where webhooks were not correctly resolved in vcluster
• syncer: Start controllers after api server started
• syncer: Fixed syncer cache race condition after Service creation
• syncer: Improved node / pod syncer logic to make it more robust
• syncer: New --toleration flag to add tolerations automatically to each pod (#330 thanks @kuuji)
• syncer: the --sync flag can now be passed to the syncer multiple times, and all the values will be combined. Disabling sync of a certain resource with a --sync=-resource flag still takes precedence over any enabling --sync=resource flags that might follow.
• chart: Fixed a problem where k3s would not startup correctly on cgroupsv2 nodes (#264)
• chart: new .sync.* values have been added to control which resources are being synced, and which permissions are given to vcluster via RBAC role and cluster role. This way the RBAC permissions are controlled on a more granular level, and the old .rbac helm values are deprecated. Using the .sync.RESOURCE.enabled values is now the recommended way to enable/disable which resources are synced. See docs for usage examples - https://www.vcluster.com/docs/architecture/synced-resources
• chart: the .sync.nodes.syncAllNodes, .sync.nodes.nodeSelector and .sync.nodes.syncNodeChanges values have been added for easier control of node syncing behavior via helm charts and more precise RBAC permissions controll. See docs for usage examples - https://www.vcluster.com/docs/architecture/nodes . Direct use of the --sync-all-nodes, --node-selector and --enforce-node-selector syncer args is not recommended because the associated RBAC permissions may be missing.
• chart: add support for externalIPs & externalTrafficPolicy (thanks @log1cb0mb)
• other: vcluster now uses cosign to sign its images and binaries (#220). Thanks @developer-guy for your contribution!
• other: For each release there will be a new vcluster-images.txt which holds all the needed images by vcluster. In addition, we include two scripts to download and push the needed images automatically