Policies
Network policies in the virtual cluster rely on the support for this feature in the host cluster. Make sure that your host cluster satisfies the network policy prerequisites.
Policies cover several different topics:
- Limit ranges control the storage / CPU / memory that each pod may request.
- Resource quotas.
- Pod security standards
- Network policies like network isolation.
- Admission webhooks
- Central Admission Control
- The admission controller is typically running on the host cluster, where the policies enforced by the webhook cannot be changed by the virtual cluster.
- Users could deploy their own admission webhooks to the virtual cluster, but there's little value in doing so, and this configuration is not concerned with that use case.
- Some examples of admission controller projects:
- It's common for organizations to develop an in-house collect of policies that can enforce naming standards etc.
You can use these settings separately for specific cases, or together, as in the case of Isolated Mode.
Config reference
policies
required object pro
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies
required object pronetworkPolicy
required object pro
NetworkPolicy specifies network policy options.
networkPolicy
required object proenabled
required boolean pro
Enabled defines if the network policy should be deployed by vCluster.
enabled
required boolean profallbackDns
required string pro
fallbackDns
required string prooutgoingConnections
required object pro
outgoingConnections
required object proipBlock
required object pro
IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
that should not be included within this rule.
ipBlock
required object procidr
required string pro
cidr is a string representing the IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
cidr
required string proexcept
required string[] pro
except is a slice of CIDRs that should not be included within an IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
Except values will be rejected if they are outside the cidr range
except
required string[] proannotations
required object pro
Annotations are extra annotations for this resource.
annotations
required object prolabels
required object pro
Labels are extra labels for this resource.
labels
required object propodSecurityStandard
required string pro
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard
required string proresourceQuota
required object pro
ResourceQuota specifies resource quota options.
resourceQuota
required object pro