Skip to main content
Version: main 🚧

Manually configure a tenant cluster

Each tenant cluster belongs to a project. Projects control whether users can create tenant clusters with or without templates.

Who can create tenant clusters without a template​

By default, projects require templates for tenant cluster creation. This means:

  • Project users can only create tenant clusters from allowed templates configured by the project admin.
  • Project admins and platform admins can always create tenant clusters without a template, regardless of project settings.

If project admins disable the requireTemplate setting, project users can also create tenant clusters without templates. Keep this setting enabled in production environments to maintain security controls.

Create without template​

Security consideration

Creating tenant clusters without a template bypasses the security controls that templates provide. Users with this capability can configure any vCluster settings, including sync configurations that could grant elevated access to control plane cluster resources.

For production environments:

  • Keep templates required for all projects (the default requireTemplate setting)
  • Grant project admin roles only to users who need to create tenant clusters without templates
  • Control who can create projects, since project creators become project admins. See project membership for details on project roles
  • Use hardened templates to control which resources can be synced to and from the control plane cluster

  1. From the project drop-down menu (top left corner), select the project you'd like to create the virtual cluster in.

  2. Click on Virtual Clusters.

  3. Click the button.

  4. Follow the steps in the UI to create the virtual cluster.

  5. Retrieve a kube-context for a virtual cluster using the CLI:

    vcluster connect [vcluster-name] --project [project-name] --driver platform
tip

The platform uses Helm to manage virtual clusters. If your cluster is running in an air-gapped environment, you may host Helm charts in an OCI compatible private registry. To use a private registry for virtual clusters there are several configuration options: