~ rps_

namespaces vs. vcluster: what i learned the hard way

· kubernetes vcluster infrastructure

Disclaimer: The views expressed here are my own, based on past experience as an ex-employee. This is not affiliated with or representative of any current employer.

In my previous roles, we ran multiple Loft vClusters in production under enterprise support. On paper, vCluster sounded like the perfect solution for multi-tenancy: a full virtual Kubernetes cluster running inside a namespace, giving each team their own control-plane-like environment. In practice, though, what we found was a lot more complicated.

Now, as an ex-employee looking back, I wanted to share the lessons I learned — both the good and the bad.

why namespaces deserve more credit

Namespaces aren’t glamorous, but they solve more than most people give them credit for:

  • Logical isolation of workloads inside the same cluster.
  • Fine-grained RBAC and network policies for access control.
  • Resource limits and quotas to prevent noisy neighbors.
  • Operational efficiency: one control plane, one monitoring stack, one set of tools.

With the right guardrails, you can run multi-tenant workloads in a single cluster using namespaces without adding another control plane.

what vcluster promises

Loft pitches vCluster as a way to give teams “their own cluster” without the overhead of actually running multiple clusters. Each vCluster runs a virtual API server inside a namespace, creating the illusion of full cluster ownership.

There are valid use cases for this:

  • Ephemeral test environments for CI/CD.
  • Highly untrusted tenants where namespace isolation isn’t enough.
  • Developers who want admin-like autonomy without touching the host cluster.

But once we deployed vClusters at scale, the tradeoffs started piling up.

the real pain points we faced

Here’s where things got messy for us:

  • Debugging Hell: We had to troubleshoot both the host cluster and the vCluster. A simple question like “Did the pod get killed?” or “Was this a scheduling error?” turned into a long back-and-forth because the signals were split between two layers.
  • Observability Gaps: Our monitoring stack (Prometheus, Grafana, OpenTelemetry) didn’t see into vClusters by default. We had to add custom plumbing, and metrics often ended up fragmented across host and guest.
  • Monitoring Blind Spots: Logs and events lived inside the vCluster unless we explicitly exported them. Host-level monitoring couldn’t tell us what was happening inside.
  • Upgrade Nightmares: Upgrades were by far the most painful part. We had to upgrade the host cluster first, and only then attempt the vCluster upgrade. Even with enterprise support, there was no simple playbook — just a pile of “if and but” conditions. Every upgrade dragged into multiple PoCs, consuming so much time and effort that it effectively became a quarterly cycle just to get through a single upgrade.
  • Support That Didn’t Help: Even with enterprise contracts, Loft’s team couldn’t provide straightforward guidance. Whether it was debugging a simple pod issue or planning an upgrade path, support often left us with more questions than answers.

when vcluster might still make sense

To be fair, vCluster isn’t useless. For temporary test environments or training scenarios, the abstraction can be handy. And if you absolutely need a strong isolation model beyond what namespaces and policies provide, vCluster is an option.

But for most production-grade multi-tenancy, the cost doesn’t justify the complexity.

final thoughts

Looking back, our team spent too much time fighting the tool instead of building on Kubernetes. Namespaces, while not flashy, already solve most multi-tenancy problems. They’re observable, debuggable, and supported by the entire Kubernetes ecosystem.

With vCluster, we traded simplicity for layers of indirection — and even with enterprise support, the guidance wasn’t enough to offset the complexity. Upgrades, in particular, became a nightmare: touching both the host and the vCluster, often stretching into an entire quarter cycle just to complete one upgrade.

If you’re considering vCluster, ask yourself: do you really need another control plane inside your cluster? Or can you get what you need with the primitives Kubernetes has had all along?