Deliver Secure Kubernetes Multi-Tenancy with New vCluster in Rancher Integration

Loft Team
5 Minute Read

Navigating the complexities of Kubernetes can often feel like steering through uncharted waters, especially when it comes to ensuring security and managing multi-tenancy. As organizations continue to adopt Kubernetes at an accelerating pace, the need for more robust, scalable, and secure solutions has never been more apparent.

For a long time, Rancher has enabled organizations to manage their Kubernetes infrastructure by offering comprehensive cluster management capabilities, enhancing security, and streamlining the deployment process. Many Rancher customers are now also adopting virtual clusters, which provide a more secure way to create tenant isolation within a single Kubernetes cluster and significantly reduce their Kubernetes cost. 

However, as the popularity of virtual clusters has grown over the past couple of years, Rancher customers have requested to standardize the provisioning and management of their virtual clusters using the same workflows they use today for traditional clusters. To address this, vCluster has launched a new integration with Rancher that will allow Rancher customers to manage their virtual clusters alongside all their other Kubernetes clusters.

Our goal with this integration was to create a seamless experience that would enable self-service virtual cluster creation and management for teams already using Rancher to manage their Kubernetes fleet. Now, you can provision and manage virtual clusters in Rancher the same way you would any traditional Kubernetes cluster.

The vCluster Rancher integration enables organizations to:

  • Unify management of virtual clusters and regular clusters within Rancher alongside each other
  • Enable virtual cluster self-service for Rancher users within guardrails defined by Rancher admins
  • Continue using Rancher for user management while syncing permissions between Rancher and vCluster.Pro
  • Enforce best practices and policies for self-service virtual clusters while also providing flexibility for end users to choose specific virtual cluster configurations for their needs.

Rancher Integration In Action

The Rancher integration consists of a Rancher UI Extension and a connection from vCluster.Pro to Rancher for virtual cluster creation and lifecycle management. 

1. Creating virtual clusters in Rancher

After configuring the vCluster extension in Rancher, you’ll immediately notice a new Create Virtual Cluster button (1) as well as a vCluster.Pro button (2) which links to the vCluster.Pro UI. ‎

Let’s start by clicking on the Create Virtual Cluster button. This triggers a popup where we can define the virtual cluster name and select a Rancher project. Projects are mapped between vCluster.Pro and Rancher.

After clicking the Create button we’re redirected to the vCluster.Pro UI where we finalize the virtual cluster creation. This enables us to choose a template for the virtual cluster and select from options that have been parameterized for that template.

vCluster templates are a great way to enable self-service while enforcing guardrails. Once a template is used to create a virtual cluster, it can either be automatically updated when a new template version is released, or vCluster admins can get notified and choose when to upgrade. In the example below, we’re able to select the K3s version for the virtual cluster, but the options are endless.

Beyond creating virtual clusters in the UI, of course, virtual clusters can also be created using the vCluster CLI, CRDs, Helm, Terraform, or many other deployment options (see the vCluster.Pro docs for details) and the Rancher integration will still kick-in and make them available in Rancher. Exposing this functionality directly in the Rancher UI helps platform teams spread the word about this new capability for end-users.

After a single click in the Rancher UI, users see the vCluster.Pro UI and can click the Create button to spin up a virtual cluster. It’s good to go when the “ready” status is displayed.

Now let’s jump back into Rancher by clicking on the Rancher icon on the top right of the screen. 

We can now see the virtual cluster we created within the Rancher Dashboard. It’s labeled “vCluster.Pro” and you can also click on this label to jump straight into the detail view for a specific virtual cluster in the vCluster.Pro UI.

Managing virtual clusters within Rancher is essentially like managing any regular Kubernetes cluster. You can drill-down into a virtual cluster within Rancher to inspect, manage, install apps, etc. Note that the nodes displayed by vCluster are, by default, pseudo nodes due to default security settings. However, this can be changed as needed. 

2. Importing existing virtual clusters

If you already have virtual clusters running outside of Rancher, you can import them via the vCluster.Pro UI with a single click. 

3. Project member syncing

If you already have user management and SSO configured on the Rancher platform, you can configure vCluster.Pro to automatically sync project members from Rancher to vCluster.Pro so you don’t end up managing users separately. Additionally, we recommend configuring Rancher as the SSO provider for vCluster.Pro to allow users to seamlessly switch between both platforms using the same credentials and permissions as Rancher.

With the vCluster.Pro integration for Rancher configured to sync permissions, users with access to a Rancher project, will automatically be authenticated as well as authorized based on their assigned RBAC roles in Rancher. This is possible by mapping the Rancher Roles with the Loft Roles. 

Next Steps

The integration of vCluster with Rancher delivers an efficient multi-tenancy solution for Kubernetes to the Rancher user base. It offers a straightforward approach to creating and managing virtual clusters, facilitating unified management and self-service for teams. 

To get started with this integration, check out our guide.

Video

Sign up for our newsletter

Be the first to know about new features, announcements and industry insights.