RBAC Configuration

RBAC (Role-Based Access Control) configuration controls permissions, policies, and security settings for both the vCluster control plane and workloads running within the virtual cluster.

RBAC Rules

rbac.role

object

Virtual cluster Role configuration for the host cluster namespace.

Show properties

enabled

boolean

default:"true"

Enable or disable the Role.

overwriteRules

array

Completely overwrite the default Role rules.

overwriteRules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]

extraRules

array

Add additional rules to the Role.

extraRules:
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "create", "update", "delete"]

rbac.clusterRole

object

Virtual cluster ClusterRole configuration.

Show properties

enabled

string

default:"auto"

Enable or disable the ClusterRole. auto automatically determines if required.

overwriteRules

array

Completely overwrite the default ClusterRole rules.

extraRules

array

Add additional rules to the ClusterRole.

extraRules:
  - apiGroups: [""]
    resources: ["nodes"]
    verbs: ["get", "list", "watch"]

rbac.enableVolumeSnapshotRules

object

Enable RBAC rules for volume snapshots.

Show properties

enabled

string

default:"auto"

Enable volume snapshot RBAC rules. auto enables when volume snapshot syncing is configured.

Service Accounts

controlPlane.advanced.serviceAccount

object

vCluster control plane service account.

Show properties

enabled

boolean

default:"true"

Deploy the service account.

name

string

Custom name for the service account.

imagePullSecrets

array

Image pull secrets for the service account.

imagePullSecrets:
  - name: my-registry-secret

annotations

object

Service account annotations.

annotations:
  eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/vcluster-role

labels

object

Service account labels.

controlPlane.advanced.workloadServiceAccount

object

Service account for workloads running in the virtual cluster.

Show properties

enabled

boolean

default:"true"

Deploy the workload service account.

name

string

Custom name for the workload service account.

imagePullSecrets

array

Image pull secrets for workloads.

annotations

object

Workload service account annotations.

Resource Quotas

policies.resourceQuota

object

Resource quota for the virtual cluster.

Show properties

enabled

string

default:"auto"

Enable resource quota. auto enables if limitRange is enabled.

quota

object

Resource quota values.

quota:
  requests.cpu: 10
  requests.memory: 20Gi
  requests.storage: 100Gi
  requests.ephemeral-storage: 60Gi
  limits.cpu: 20
  limits.memory: 40Gi
  limits.ephemeral-storage: 160Gi
  services.nodeports: 0
  services.loadbalancers: 1
  count/endpoints: 40
  count/pods: 20
  count/services: 20
  count/secrets: 100
  count/configmaps: 100
  count/persistentvolumeclaims: 20

scopeSelector

object

Scope selector for resource quota.

scopes

array

Resource quota scopes.

annotations

object

Resource quota annotations.

labels

object

Resource quota labels.

Limit Range

policies.limitRange

object

LimitRange for the virtual cluster.

Show properties

enabled

string

default:"auto"

Enable limit range. auto enables if resourceQuota is enabled.

default

object

Default resource limits.

default:
  cpu: "1"
  memory: 512Mi
  ephemeral-storage: 8Gi

defaultRequest

object

Default resource requests.

defaultRequest:
  cpu: 100m
  memory: 128Mi
  ephemeral-storage: 3Gi

min

object

Minimum resource limits.

max

object

Maximum resource limits.

annotations

object

LimitRange annotations.

labels

object

LimitRange labels.

Network Policies

policies.networkPolicy

object

NetworkPolicy configuration for isolating virtual cluster traffic.

Show properties

enabled

boolean

default:"false"

Enable NetworkPolicy deployment.

fallbackDns

string

default:"8.8.8.8"

Fallback DNS server if virtual cluster doesn’t have one.

controlPlane

object

Network policies for the control plane.

Show properties

ingress

array

Ingress rules for control plane.

ingress:
  - from:
      - podSelector:
          matchLabels:
            app: allowed-client
    ports:
      - protocol: TCP
        port: 8443

egress

array

Egress rules for control plane.

workload

object

Network policies for workloads.

Show properties

publicEgress

object

Public outgoing connections for workloads.

Show properties

enabled

boolean

default:"true"

Enable workload public egress.

cidr

string

default:"0.0.0.0/0"

Allowed destination CIDR.

except

array

Excluded CIDRs.Default:

except:
  - 100.64.0.0/10
  - 127.0.0.0/8
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16

ingress

array

Ingress rules for workloads.

egress

array

Egress rules for workloads.

annotations

object

NetworkPolicy annotations.

labels

object

NetworkPolicy labels.

Central Admission

policies.centralAdmission

object

Define validating or mutating webhooks to enforce within the virtual cluster (PRO feature).

Show properties

validatingWebhooks

array

Validating webhooks to enforce.

mutatingWebhooks

array

Mutating webhooks to enforce.

Security Context

controlPlane.statefulSet.security

object

Security context for the control plane.

Show properties

podSecurityContext

object

Pod-level security context.

podSecurityContext:
  runAsNonRoot: true
  fsGroup: 1000

containerSecurityContext

object

Container-level security context.Default:

containerSecurityContext:
  allowPrivilegeEscalation: false
  runAsUser: 0
  runAsGroup: 0

Example: Custom RBAC Rules

rbac:
  role:
    enabled: true
    extraRules:
      - apiGroups: [""]
        resources: ["configmaps"]
        verbs: ["get", "list", "watch", "create", "update"]
  
  clusterRole:
    enabled: true
    extraRules:
      - apiGroups: [""]
        resources: ["nodes", "persistentvolumes"]
        verbs: ["get", "list", "watch"]

Example: Resource Quotas and Limits

policies:
  resourceQuota:
    enabled: true
    quota:
      requests.cpu: 20
      requests.memory: 40Gi
      limits.cpu: 40
      limits.memory: 80Gi
      count/pods: 50
      count/services: 30
  
  limitRange:
    enabled: true
    default:
      cpu: "2"
      memory: 1Gi
    defaultRequest:
      cpu: 200m
      memory: 256Mi
    max:
      cpu: "4"
      memory: 8Gi
    min:
      cpu: 50m
      memory: 64Mi

Example: Network Isolation

policies:
  networkPolicy:
    enabled: true
    fallbackDns: 1.1.1.1
    
    controlPlane:
      # Only allow access from specific pods
      ingress:
        - from:
            - podSelector:
                matchLabels:
                  access: vcluster
          ports:
            - protocol: TCP
              port: 8443
    
    workload:
      # Restrict public egress
      publicEgress:
        enabled: true
        cidr: 0.0.0.0/0
        except:
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
      
      # Custom ingress rules
      ingress:
        - from:
            - namespaceSelector:
                matchLabels:
                  name: allowed-namespace

Example: Service Account with AWS IAM

controlPlane:
  advanced:
    serviceAccount:
      enabled: true
      name: vcluster-sa
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/vcluster-role
    
    workloadServiceAccount:
      enabled: true
      name: vcluster-workload-sa
      annotations:
        eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/workload-role
      imagePullSecrets:
        - name: ecr-registry-secret

Example: Pod Security Standards

controlPlane:
  statefulSet:
    security:
      podSecurityContext:
        runAsNonRoot: true
        runAsUser: 10000
        runAsGroup: 10000
        fsGroup: 10000
        seccompProfile:
          type: RuntimeDefault
      
      containerSecurityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        capabilities:
          drop:
            - ALL

Use Cases

Multi-Tenant Resource Isolation

Enforce resource limits per virtual cluster:

policies:
  resourceQuota:
    enabled: true
    quota:
      requests.cpu: 10
      requests.memory: 20Gi
      count/pods: 30
  limitRange:
    enabled: true

Strict Network Isolation

Isolate virtual cluster traffic:

policies:
  networkPolicy:
    enabled: true
    workload:
      publicEgress:
        enabled: false

Cluster-Wide Resource Access

Grant ClusterRole permissions:

rbac:
  clusterRole:
    enabled: true
    extraRules:
      - apiGroups: [""]
        resources: ["nodes", "namespaces"]
        verbs: ["get", "list", "watch"]

See Control Plane for security context configuration
See Networking Options for network policies
See Values Reference for all options

Reference

Documentation Index

​RBAC Rules

​Service Accounts

​Resource Quotas

​Limit Range

​Network Policies

​Central Admission

​Security Context

​Example: Custom RBAC Rules

​Example: Resource Quotas and Limits

​Example: Network Isolation

​Example: Service Account with AWS IAM

​Example: Pod Security Standards

​Use Cases

​Multi-Tenant Resource Isolation

​Strict Network Isolation

​Cluster-Wide Resource Access

​Related Configuration

Build docs developers (and LLMs) love

RBAC Rules

Service Accounts

Resource Quotas

Limit Range

Network Policies

Central Admission

Security Context

Example: Custom RBAC Rules

Example: Resource Quotas and Limits

Example: Network Isolation

Example: Service Account with AWS IAM

Example: Pod Security Standards

Use Cases

Multi-Tenant Resource Isolation

Strict Network Isolation

Cluster-Wide Resource Access

Related Configuration