Skip to main content

Policies

info

Network policies in the virtual cluster rely on the support for this feature in the host cluster. Make sure that your host cluster satisfies the network policy prerequisites.

Policies cover several different topics:

  • Limit ranges control the storage / CPU / memory that each pod may request.
  • Resource quotas.
  • Pod security standards
  • Network policies like network isolation.
  • Admission webhooks
    • Central Admission Control
    • The admission controller is typically running on the host cluster, where the policies enforced by the webhook cannot be changed by the virtual cluster.
    • Users could deploy their own admission webhooks to the virtual cluster, but there's little value in doing so, and this configuration is not concerned with that use case.
    • Some examples of admission controller projects:
    • It's common for organizations to develop an in-house collection of policies that can enforce naming standards etc.

You can use these settings separately for specific cases, or together, as in the case of Isolated Mode.

Config reference​

policies required object pro​

Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.

networkPolicy required object pro​

NetworkPolicy specifies network policy options.

enabled required boolean false pro​

Enabled defines if the network policy should be deployed by vCluster.

fallbackDns required string 8.8.8.8 pro​

outgoingConnections required object pro​

ipBlock required object pro​

IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

cidr required string 0.0.0.0/0 pro​

cidr is a string representing the IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64"

except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] pro​

except is a slice of CIDRs that should not be included within an IPBlock Valid examples are "192.168.1.0/24" or "2001:db8::/64" Except values will be rejected if they are outside the cidr range

platform required boolean true pro​

Platform enables egress access towards loft platform

annotations required object {} pro​

Annotations are extra annotations for this resource.

labels required object {} pro​

Labels are extra labels for this resource.

podSecurityStandard required string pro​

PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged

resourceQuota required object pro​

ResourceQuota specifies resource quota options.

enabled required string|boolean auto pro​

Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.

quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] pro​

Quota are the quota options

scopeSelector required object map[matchExpressions:[]] pro​

ScopeSelector is the resource quota scope selector

scopes required string[] [] pro​

Scopes are the resource quota scopes

annotations required object {} pro​

Annotations are extra annotations for this resource.

labels required object {} pro​

Labels are extra labels for this resource.

limitRange required object pro​

LimitRange specifies limit range options.

enabled required string|boolean auto pro​

Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.

default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] pro​

Default are the default limits for the limit range

defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] pro​

DefaultRequest are the default request options for the limit range

max required object {} pro​

Max are the max limits for the limit range

min required object {} pro​

Min are the min limits for the limit range

annotations required object {} pro​

Annotations are extra annotations for this resource.

labels required object {} pro​

Labels are extra labels for this resource.

centralAdmission required object pro​

CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.

validatingWebhooks required object[] pro​

ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster

kind required string pro​

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

apiVersion required string pro​

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

metadata required object pro​

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

name required string pro​

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

labels required object pro​

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

annotations required object pro​

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

webhooks required object[] pro​

Webhooks is a list of webhooks and the affected resources and operations.

name required string pro​

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

clientConfig required object pro​

ClientConfig defines how to communicate with the hook.

url required string pro​

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

service required object pro​

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

namespace required string pro​

Namespace is the namespace of the service.

name required string pro​

Name is the name of the service.

path required string pro​

Path is an optional URL path which will be sent in any request to this service.

port required integer pro​

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

caBundle required string pro​

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

rules required object[] pro​

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

failurePolicy required string pro​

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

matchPolicy required string pro​

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

namespaceSelector required object pro​

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

objectSelector required object pro​

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.

sideEffects required string pro​

SideEffects states whether this webhook has side effects.

timeoutSeconds required integer pro​

TimeoutSeconds specifies the timeout for this webhook.

admissionReviewVersions required string[] pro​

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

matchConditions required object[] pro​

MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.

mutatingWebhooks required object[] pro​

MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster

kind required string pro​

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.

apiVersion required string pro​

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.

metadata required object pro​

Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.

name required string pro​

Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.

labels required object pro​

Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.

annotations required object pro​

Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.

webhooks required object[] pro​

Webhooks is a list of webhooks and the affected resources and operations.

reinvocationPolicy required string pro​

reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".

name required string pro​

The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.

clientConfig required object pro​

ClientConfig defines how to communicate with the hook.

url required string pro​

URL gives the location of the webhook, in standard URL form (scheme://host:port/path). Exactly one of url or service must be specified.

service required object pro​

Service is a reference to the service for this webhook. Either service or url must be specified.

If the webhook is running within the cluster, then you should use service.

namespace required string pro​

Namespace is the namespace of the service.

name required string pro​

Name is the name of the service.

path required string pro​

Path is an optional URL path which will be sent in any request to this service.

port required integer pro​

If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. port should be a valid port number (1-65535, inclusive).

caBundle required string pro​

CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.

rules required object[] pro​

Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.

failurePolicy required string pro​

FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.

matchPolicy required string pro​

matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".

namespaceSelector required object pro​

NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.

objectSelector required object pro​

ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.

sideEffects required string pro​

SideEffects states whether this webhook has side effects.

timeoutSeconds required integer pro​

TimeoutSeconds specifies the timeout for this webhook.

admissionReviewVersions required string[] pro​

AdmissionReviewVersions is an ordered list of preferred AdmissionReview versions the Webhook expects.

matchConditions required object[] pro​

MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.