Skip to main content
Version: main 🚧

What is vCluster?

vCluster provisions fully isolated Kubernetes environments, called tenant clustersTenant ClusterA fully isolated Kubernetes environment provisioned for a single tenant. Each tenant cluster has its own API server, controller manager, and resource namespace, backed by a virtualized control plane hosted on a Control Plane Cluster. From the tenant's perspective it behaves exactly like a standard Kubernetes cluster.Related: Control Plane Cluster, Tenant Cluster, on your existing infrastructure. Each tenant cluster has a dedicated API server, its own RBAC and CRDs, and a cluster experience indistinguishable from a dedicated Kubernetes cluster. Tenant clusters do not require dedicated physical nodes.

What a tenant cluster looks like​

From the perspective of a user or workload, a tenant cluster is a full Kubernetes cluster. They receive a kubeconfig scoped to their cluster and interact with it using any conformant tool: kubectl, Helm, Argo CD, Crossplane, and others. They cannot see or reach other tenant clusters or the underlying Control Plane ClusterControl Plane ClusterThe Kubernetes cluster that hosts the virtualized control planes for tenant clusters. The Control Plane Cluster is operated by the platform provider and is completely invisible to tenants. There are no shared control plane nodes, no in-cluster agent pods, and no lateral path between tenant environments. With shared nodes, this cluster also runs tenant workloads alongside the control plane pods — the same node pool is used for both.Related: Tenant Cluster, Control Plane Cluster, Tenant Cluster.

From the platform operator's perspective, the tenant cluster control plane runs as a pod in a namespace on the Control Plane Cluster. Creating one requires no additional infrastructure.

Isolation model​

Each tenant cluster enforces isolation at the API level. Tenants get their own API server, their own etcd, and their own resource namespace. A resource created inside one tenant cluster has no visibility into another. CRDs, admission webhooks, and RBAC policies scope fully to each tenant and cannot affect other tenants or the host.

For workloads that require node-level isolation (GPU infrastructure, regulated industries, or paying external customers), tenant clusters support private nodes where each tenant's workloads run on dedicated compute with no cross-tenant visibility at the infrastructure level.

How Platform manages tenant clusters​

vCluster Platform is the management layer for your tenant cluster fleet. It handles:

  • Provisioning — create tenant clusters from the UI, CLI, or API, with optional templates that enforce configuration baselines
  • Access control — RBAC at the platform, project, and individual cluster level; SSO integration with any OIDC provider
  • Lifecycle — sleep, wake, auto-delete, and version upgrades coordinated across the fleet
  • Multi-cluster — manage tenant clusters across multiple Control Plane Clusters from a single Platform instance

Learn how Platform works →

Learn more​

For the full architecture, deployment options, and feature reference, see the vCluster documentation.