Skip to main content

Deployment Options

vNode's isolation granularity is controlled by the VNODE_PER_POD environment variable on the DaemonSet. This setting applies node-wide. All workloads using the vNode runtime on a given node follow the selected mode. The default mode creates one vNode container per namespace per node. Setting VNODE_PER_POD to true gives every pod its own isolated vNode container.

The choice affects security posture, memory overhead, and blast-radius scope.

Per-namespace isolation (default)

In the default mode, vNode creates one vNode container per namespace per node. All pods in the same namespace on the same node share a PID namespace and the vNode's virtual filesystem view inside that container.

Use this mode when namespace boundaries map to tenant boundaries. A typical example is a tenant cluster where each namespace belongs to one tenant. Pods within the namespace can see each other's processes. They are isolated from pods in other namespaces at the vNode sandbox and PID namespace boundary.

Per-pod isolation

Per-pod mode creates one vNode container per pod, regardless of namespace. Each pod gets its own PID namespace and UID mapping range. It has no process visibility into other pods on the same node.

Use this mode when different users or tenants share a namespace. It also fits CI/CD platforms where builds from multiple users run in the same namespace. Each pod's blast radius is contained to that pod alone.

vNode deployment optionsPer-namespace mode creates one vNode per namespace, while per-pod mode creates one vNode for each pod.Per-namespace (default)Per-podPhysical NodevNode(tenant-a)vNode(tenant-b)Pod 1Pod 2Pod 3Pod 4Physical NodevNodevNodevNodePod 1Pod 2Pod 3Pods share a namespace-scoped vNodeEach pod gets its own vNode

Per-namespace mode shares a vNode across pods in the same namespace, while per-pod mode gives each pod its own vNode.

Comparison

Per-namespace (default)Per-pod
vNode containers per nodeOne per namespaceOne per pod
PID namespace sharingPods in same namespace shareEach pod isolated
Memory overhead per nodeLowerHigher
Blast radius on compromiseNamespace-scopedPod-scoped
Host namespace must map to one tenantRequiredNot required

Choose per-namespace mode for vCluster-style tenancy where each tenant lands in its own host namespace. Choose per-pod mode for CI/CD, shared build namespaces, or any namespace containing workloads from multiple trust domains.

Memory overhead

Per-pod mode creates more vNode containers per node. Each vNode container has a small memory footprint. On dense nodes with many pods, the cumulative overhead is meaningful. Test with a representative workload before enabling in production.

How to configure

Set VNODE_PER_POD=true in the DaemonSet environment using daemonSet.env in your Helm values:

vnode-values.yaml
daemonSet:
  env:
    - name: VNODE_PER_POD
      value: "true"

Apply with helm upgrade --install:

helm upgrade --install vnode-runtime vnode-runtime -n vnode-runtime \
  --repo https://charts.loft.sh \
  -f vnode-values.yaml

Leaving VNODE_PER_POD unset or setting it to "false" retains per-namespace mode.