Table of Contents
When we first launched vCluster in 2021, our mission was clear: make Kubernetes multi-tenancy easier, safer, and more cost-efficient. Since then, we've helped organizations around the globe manage Kubernetes with greater flexibility and security. But as Kubernetes usage expanded, we noticed another critical gap—one that no existing solution fully addressed: the trade-off between strict workload isolation and resource efficiency at the node level.
Today, I'm thrilled to introduce vNode, our newest addition to the LoftLabs suite of Kubernetes-native virtualization tools. vNode takes Kubernetes multi-tenancy to the next level by enabling stronger isolation of tenant workloads directly at the node layer, without the complexity or overhead of traditional solutions.
Why We Built vNode
We've spoken with countless teams struggling with the frustrating dilemma in Kubernetes multi-tenancy: either tenants share nodes—risking security and noisy neighbors—or they are placed onto separate, expensive nodes. Solutions like Kata Containers, gVisor, or Sysbox each have their place, but they're either too heavyweight, too slow, or too limiting in many cases.
We built vNode to break this trade-off. Instead of costly separate nodes or cumbersome micro-VMs, vNode uses lightweight isolation through user namespaces, efficiently partitioning a single physical node into multiple securely isolated virtual nodes.
Who vNode Is For
If you're part of a platform engineering team aiming for secure, efficient multi-tenancy, vNode is designed for you. It's especially beneficial in scenarios where strong isolation at the node level is critical, such as:
- Highly regulated environments, where compliance and security standards demand strict separation of workloads.
- Teams running resource-intensive workloads, like AI and machine learning, that require dedicated resources without interference.
- Organizations struggling with noisy neighbor issues, impacting performance and reliability across shared infrastructure.
- Environments with privileged workloads, where traditional Kubernetes setups create security vulnerabilities or operational risks.
How vNode Works
Under the hood, vNode introduces a lightweight runtime on each physical node, splitting it into isolated virtual nodes, each mapped to non-privileged users via Linux user namespaces. This allows tenants to securely run privileged workloads—such as Docker-in-Docker or even Kubernetes control planes—without risking interference or cross-tenant security issues.
Compared to other workload isolation solutions vNode has the following advantages:
- Strong Isolation: vNode isolates workloads at the node level inside shared physical nodes.
- Lower Overhead & Performance Hit: No full VMs, no syscall translation, no unnecessary complexity. vNode provides strict isolation without killing performance or added maintenance.
- Full Tenant Autonomy: Tenants can run privileged workloads (like Docker-in-Docker, Kubernetes control planes, or system-level tools) without impacting others.
- Kubernetes-Native & Cloud-Agnostic: Kubernetes-native, works with all major clouds, and runs on any containerd-based cluster (Linux 1.6+). No re-architecting needed.
vNode and vCluster: A Powerful Duo
By combining vNode with vCluster, teams can now achieve comprehensive Kubernetes multi-tenancy. While vCluster provides isolation at the Kubernetes control plane, vNode complements this by ensuring tenant workloads are securely isolated at the node level—optimizing resource utilization and security simultaneously.
With vNode, we’re delivering the missing piece in Kubernetes multi-tenancy, bridging the gap between security, efficiency, and performance. It’s our next step in helping organizations run cloud-native infrastructure at scale, without compromise.
Be the first to try vNode
We're excited to see how you'll use vNode to reshape your Kubernetes environments. Interested in exploring vNode further? We’re opening up early access—sign up for the private beta at vNode.com.
Happy virtualizing,
Lukas Gentele
Co-founder and CEO, LoftLabs
