Skip to main content
Version: main 🚧

Control node IP visibility

Supported Configurations
Running the control plane as a container with:

When vCluster syncs real nodes from the control plane cluster, it obfuscates node IP addresses by default. This behavior protects sensitive information in tenant isolation environments while still providing node features.

Node IP obfuscation provides several benefits:

  • Security: Prevents exposure of control plane cluster network topology in tenant isolation environments.
  • Privacy: Protects sensitive infrastructure information from tenant cluster users.
  • Isolation: Maintains logical separation between tenant and control plane clusters.

Default behavior​

By default, when you enable real node syncing:

Enable real node syncing
sync:
  fromHost:
    nodes:
      enabled: true

vCluster automatically replaces the actual node IP addresses with obfuscated values. For example, if a host node has IP 192.168.1.100, it appears in the tenant cluster with a generated IP like 10.0.0.1.

Control IP visibility with patches​

Enterprise-Only Feature

This feature is an Enterprise feature. See our pricing plans or contact our sales team for more information.

Remove IP information completely​

To remove IP addresses entirely from synced nodes:

Remove IP addresses
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.addresses
        expression: |
          []

Advanced node information control​

You can use patches to control other sensitive node information beyond IP addresses:

Hide system information​

Hide system information
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.bootID
        expression: '""'
      - path: status.nodeInfo.systemUUID
        expression: '""'
      - path: status.nodeInfo.machineID
        expression: '""'

Selective field obfuscation​

Selective obfuscation
sync:
  fromHost:
    nodes:
      enabled: true
      patches:
      - path: status.nodeInfo.osImage
        expression: '"Linux"'
      - path: status.nodeInfo.kernelVersion
        expression: '"Hidden"'

Use node selectors​

When using node selectors with obfuscated IPs, focus on labels rather than IP-based selection:

Node selector with labels
sync:
  fromHost:
    nodes:
      enabled: true
      selector:
        labels:
          node-role.kubernetes.io/worker: "true"
          environment: "production"

This approach ensures your workloads can still be scheduled appropriately without relying on specific IP addresses.

Troubleshoot node IP issues​

Verify obfuscation​

To check if IP obfuscation is working:

  1. Compare node information between control plane and tenant clusters:
Check control plane cluster node
kubectl get nodes -o wide
Check tenant cluster node
vcluster connect my-vcluster -- kubectl get nodes -o wide
  1. Inspect node details:
Inspect node details
vcluster connect my-vcluster -- kubectl describe node <node-name>

Common issues​

  • Networking problems: Some network policies or CNI plugins may require real IP addresses. Test thoroughly when modifying IP obfuscation.
  • Monitoring tools: Tools that rely on node IPs may need adjustment when IPs are obfuscated.
  • Service discovery: Services that use node IPs directly may require alternative approaches.

Best practices​

  • Default to obfuscation: Keep IP obfuscation enabled unless you have specific requirements for real IPs.
  • Use labels: Rely on node labels rather than IPs for workload scheduling and management.
  • Document changes: Clearly document any modifications to default obfuscation behavior.
  • Test thoroughly: Verify that your applications work correctly with obfuscated IPs before production deployment.