Skip to main content
Version: main 🚧

Network Policies

By default, this is disabled.

Sync NetworkPolicy resources from the virtual cluster to the host cluster. This ensures correct policies are created in the host cluster to achieve the desired traffic behavior between pods.

Sync NetworkPolicies from the virtual to host cluster​

sync:
  toHost:
    networkPolicies:
      enabled: true
info

NetworkPolicy resources inside virtual clusters rely on the host cluster's support for this feature. Make sure that your host cluster satisfies the Network Policy prerequisites.

Patches​


Pro Feature

This feature is available in the vCluster Pro tier. Contact us for more details and to start a trial.

You can modify the sync behaviour with patches that target specific paths. Currently there is 2 different kinds of patches supported.

Wildcard patches

You can use * in paths to select all entries of an array or object, e.g. spec.containers[*].name or spec.containers[*].volumeMounts[*]. vCluster calls the patch multiple times when using the wildcard reference.

JavaScript Expression Patches​

These are powerful JavaScript ES6 compatible expression patches that can be used to change a field while syncing. You define how it changes when syncing from the virtual cluster into the host cluster or when syncing from the host cluster into the virtual cluster. To change the path metadata.annotations[*] you can do:

sync:
  toHost:
    networkPolicies:
      enabled: true
      patches:
      - path: metadata.annotations[*]
        expression: '"my-prefix-"+value'
        # optional reverseExpression to reverse the change from the host cluster
        # reverseExpression: 'value.slice("my-prefix".length)'

There is also a variable called context besides value that can be used to access specific data of the virtual cluster:

  • context.vcluster.name: Name of the virtual cluster
  • context.vcluster.namespace: Namespace of the virtual cluster
  • context.vcluster.config: Config of the virtual cluster, basically vcluster.yaml merged with the defaults
  • context.hostObject: Host object (can be null if not available)
  • context.virtualObject: Virtual object (can be null if not available)
  • context.path: The matched path on the object, useful when using wildcard path selectors (*)

Reference patches​

A reference patch can be used to have a specific field of one resource point to a different resource that should get rewritten. vCluster automatically imports the referenced resource to the virtual cluster if it can find it in the host cluster. For example:

sync:
  toHost:
    networkPolicies:
      enabled: true
      patches:
      - path: metadata.annotations["my-secret-ref"]
        reference:
          apiVersion: v1
          kind: Secret

With this yaml, vCluster translates the path metadata.annotations["my-secret-ref"] as it points to a secret. If the secret is created in the host cluster, vCluster automatically imports it into the virtual cluster.

Multi-Namespace-Mode

With multi-namespace-mode you only need to rewrite references that include a namespace. You can use the namespacePath option to specify the path of the namespace of the reference.

Config reference​

networkPolicies required object pro​

NetworkPolicies defines if network policies created within the virtual cluster should get synced to the host cluster.

enabled required boolean false pro​

Enabled defines if this option should be enabled.

patches required object[] pro​

Patches patch the resource according to the provided specification.

path required string pro​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression required string pro​

Expression transforms the value according to the given JavaScript expression.

reverseExpression required string pro​

ReverseExpression transforms the value according to the given JavaScript expression.

reference required object pro​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string pro​

APIVersion is the apiVersion of the referenced object.

apiVersionPath required string pro​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string pro​

Kind is the kind of the referenced object.

kindPath required string pro​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath required string pro​

NamePath is the optional relative path to the reference name within the object.

namespacePath required string pro​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels required object pro​

Labels treats the path value as a labels selector.