Shared Nodes Quick Start
You're running a Kubernetes cluster and want to give teams, tenants, or CI pipelines their own isolated Kubernetes environments. You don't want to spin up new infrastructure for each one.
This guide shows you how to deploy a tenant cluster onto your existing cluster in under two minutes. You'll also see the isolation boundary in action. From inside the tenant cluster, everything looks like a normal Kubernetes cluster. From the outside, each tenant fits in a single namespace with no visibility into anyone else's workloads.
By the end you'll have a working tenant cluster and a clear picture of how the isolation model works. There's also an optional step to connect it to vCluster Platform for self-service access and auto-sleep.
Prerequisites​
- A Kubernetes cluster with
kubectlconfigured to access it - At least 2 vCPU and 2 GB RAM available on the cluster
Install the vCluster CLI​
- Homebrew
- Mac (Intel/AMD)
- Mac (Silicon/ARM)
- Linux (AMD)
- Linux (ARM)
- Download Binary
- Windows Powershell
brew install loft-sh/tap/vcluster
The binaries in the tap are signed using the Sigstore framework for enhanced security.
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-darwin-amd64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-darwin-arm64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-linux-amd64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
curl -L -o vcluster "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-linux-arm64" && sudo install -c -m 0755 vcluster /usr/local/bin && rm -f vcluster
Download the binary for your platform from the GitHub Releases page and add this binary to your $PATH.
md -Force "$Env:APPDATA\vcluster"; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Tls,Tls11,Tls12';
Invoke-WebRequest -URI "https://github.com/loft-sh/vcluster/releases/latest/download/vcluster-windows-amd64.exe" -o $Env:APPDATA\vcluster\vcluster.exe;
$env:Path += ";" + $Env:APPDATA + "\vcluster";
[Environment]::SetEnvironmentVariable("Path", $env:Path, [System.EnvironmentVariableTarget]::User);
You may need to reboot your computer to use the CLI due to changes to the PATH variable (see below).
Line 4 of this install script adds the install directory %APPDATA%\vcluster to the $PATHenvironment variable. This is only effective for the current Powershell session, i.e. when opening a new terminal window,vcluster may not be found.
Make sure to add the folder %APPDATA%\vcluster to the PATH environment variable after installing vcluster CLI via Powershell. Afterward, a reboot might be necessary.
Verify the CLI installed successfully.
vcluster --version
Output is similar to:
vCluster version 0.x.x
Deploy a tenant cluster​
Deploy a tenant cluster named
my-vclusterinto a new namespaceteam-x.vcluster create my-vcluster --namespace team-xWhen the deployment finishes, the CLI automatically connects and switches your kube context into the tenant cluster.
Confirm you are inside the tenant cluster.
kubectl get namespacesYou see standard Kubernetes system namespaces. This is the tenant cluster's own namespace view, separate from the Control Plane Cluster.
See the isolation​
Deploy a test workload inside the tenant cluster.
kubectl create deployment nginx --image=nginx
kubectl get podsThe pod is running inside the tenant cluster.
Disconnect from the tenant cluster and inspect the same namespace from the Control Plane Cluster.
vcluster disconnect
kubectl get pods -n team-xOutput is similar to:
NAME READY STATUS RESTARTS AGE
coredns-79cf5f4c56-nkgdr-x-kube-system-x-my-vcluster 1/1 Running 0 4m
my-vcluster-0 1/1 Running 0 5m
nginx-56c45fd5ff-kp74s-x-default-x-my-vcluster 1/1 Running 0 2mThe nginx pod is here, but with a rewritten name. vCluster syncs tenant workloads into this namespace so the underlying cluster can schedule them. The suffix (
-x-default-x-my-vcluster) encodes the source namespace and cluster. From inside the tenant cluster, the pod appeared as plainnginxin namespacedefault.This is the isolation boundary. The tenant gets a clean Kubernetes API with no visibility into the Control Plane Cluster's structure. Other tenant clusters have their own dedicated namespaces, so neither tenant can see the other's workloads.
Add management with vCluster Platform​
The cluster you just deployed works standalone. Connect it to vCluster Platform to add a self-service layer for your team: auto-sleep, access controls, and lifecycle management across your entire fleet.
Auto-sleep pauses tenant clusters when idle and wakes them on access. For internal developer platforms, this eliminates idle resource consumption without requiring any action from tenants. Clusters wake in seconds when someone connects.
vcluster platform add vcluster my-vcluster --namespace team-x
Once connected to Platform:
- Tenant clusters appear in the Platform UI. Your team accesses them without needing
kubectlaccess to the Control Plane Cluster. - Auto-sleep activates based on inactivity, cutting resource usage during off-hours
- Access controls, templates, and project quotas apply across the full fleet
Install vCluster Platform → Configure auto-sleep →
Delete the tenant cluster​
Deleting a tenant cluster removes all resources within it. This cannot be undone.
vcluster delete my-vcluster --namespace team-x
If the namespace was created by the vCluster CLI, it is also deleted.
Next steps​
- Private nodes — dedicated infrastructure for GPU tenants and regulated workloads
- Architecture — control plane internals, syncer behavior, and networking
- Deploy with Helm — production deployment options including Helm, Terraform, and ArgoCD
- vcluster.yaml reference — full configuration reference