vCluster - Mind Palace

**vCluster** creates virtual Kubernetes clusters — isolated Kubernetes API servers that run inside namespaces of a host cluster — giving each tenant a full Kubernetes experience (their own API server, namespaces, CRDs, and controllers) while sharing the underlying physical nodes and networking. --- ### First Principle: The strongest multi-tenancy gives each tenant their own control plane, not just their own namespace. [[Capsule]] shares the cluster API server — tenants see the same API, just with namespaced resources. vCluster gives each tenant a dedicated, isolated Kubernetes API server. Tenant CRDs, RBAC, and cluster-scoped resources are fully isolated — tenants can install operators, modify RBAC, and use cluster-admin in their vcluster without affecting other tenants. --- ### Key Considerations - **Architecture**: Each vCluster runs as a StatefulSet in the host cluster, containing a lightweight Kubernetes API server (k3s or k8s), a syncer process, and an etcd. The syncer translates virtual objects to real objects in the host namespace. - **Full Kubernetes API**: Tenants get a real `kubeconfig`, a real `kubectl`, and a real API server. They can install Helm charts, CRDs, operators, and cluster-scoped resources without impacting other tenants. - **Syncer**: The vCluster syncer ensures that pods created in the virtual cluster actually run on the host cluster nodes. Networking, storage (PVs), and services are synchronised between virtual and host contexts. - **Isolation Level**: Stronger isolation than [[Capsule]] (separate control plane) but weaker than separate physical clusters (shared node pool). The right choice for SaaS platforms offering "dedicated Kubernetes" to customers. - **vs Separate Clusters**: Separate clusters give the strongest isolation but require proportionally more control plane overhead. vCluster provides ~85% of the isolation at ~15% of the operational cost. --- ### How It Fits ``` Host [[Kubernetes]] cluster (shared node pool) → vCluster (per-tenant virtual API server + etcd) → Tenant kubectl / Helm / operators (fully isolated experience) → [[Capsule]] (optional additional guardrails on host) ``` [[Capsule]] | [[Kubernetes]] | [[Rancher]] | [[Keycloak]] | [[Open Source Hyperscaler MoC]]