Policies
Network policies in the virtual cluster rely on the support for this feature in the host cluster. Make sure that your host cluster satisfies the network policy prerequisites.
Policies cover several different topics:
- Limit ranges control the storage / CPU / memory that each pod may request.
- Resource quotas.
- Pod security standards
- Network policies like network isolation.
- Admission webhooks
- Central Admission Control
- The admission controller is typically running on the host cluster, where the policies enforced by the webhook cannot be changed by the virtual cluster.
- Users could deploy their own admission webhooks to the virtual cluster, but there's little value in doing so, and this configuration is not concerned with that use case.
- Some examples of admission controller projects:
- It's common for organizations to develop an in-house collection of policies that can enforce naming standards etc.
You can use these settings separately for specific cases, or together, as in the case of Isolated Mode.
Config reference​
policies required object pro​
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies required object pro​networkPolicy required object pro​
NetworkPolicy specifies network policy options.
networkPolicy required object pro​enabled required boolean false pro​
Enabled defines if the network policy should be deployed by vCluster.
enabled required boolean false pro​fallbackDns required string 8.8.8.8 pro��​
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
fallbackDns required string 8.8.8.8 pro��​outgoingConnections required object pro​
OutgoingConnections are the outgoing connections options for the vCluster workloads.
outgoingConnections required object pro​ipBlock required object pro​
IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed
to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs
that should not be included within this rule.
ipBlock required object pro​cidr required string 0.0.0.0/0 pro​
cidr is a string representing the IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
cidr required string 0.0.0.0/0 pro​except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] pro​
except is a slice of CIDRs that should not be included within an IPBlock
Valid examples are "192.168.1.0/24" or "2001:db8::/64"
Except values will be rejected if they are outside the cidr range
except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] pro​platform required boolean true pro​
Platform enables egress access towards loft platform
platform required boolean true pro​extraControlPlaneRules required object[] [] pro​
ExtraControlPlaneRules are extra allowed rules for the vCluster control plane.
extraControlPlaneRules required object[] [] pro​extraWorkloadRules required object[] [] pro​
ExtraWorkloadRules are extra allowed rules for the vCluster workloads.
extraWorkloadRules required object[] [] pro​annotations required object {} pro​
Annotations are extra annotations for this resource.
annotations required object {} pro​labels required object {} pro​
Labels are extra labels for this resource.
labels required object {} pro​podSecurityStandard required string pro​
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard required string pro​resourceQuota required object pro​
ResourceQuota specifies resource quota options.
resourceQuota required object pro​enabled required string|boolean auto pro​
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled,
the resourceQuota will be enabled as well.
enabled required string|boolean auto pro​quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] pro​
Quota are the quota options
quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] pro​scopeSelector required object map[matchExpressions:[]] pro​
ScopeSelector is the resource quota scope selector
scopeSelector required object map[matchExpressions:[]] pro​scopes required string[] [] pro​
Scopes are the resource quota scopes
scopes required string[] [] pro​annotations required object {} pro​
Annotations are extra annotations for this resource.
annotations required object {} pro​labels required object {} pro​
Labels are extra labels for this resource.
labels required object {} pro​limitRange required object pro​
LimitRange specifies limit range options.
limitRange required object pro​enabled required string|boolean auto pro​
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled,
the limitRange will be enabled as well.
enabled required string|boolean auto pro​default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] pro​
Default are the default limits for the limit range
default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] pro​defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] pro​
DefaultRequest are the default request options for the limit range
defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] pro​max required object {} pro​
Max are the max limits for the limit range
max required object {} pro​min required object {} pro​
Min are the min limits for the limit range
min required object {} pro​annotations required object {} pro​
Annotations are extra annotations for this resource.
annotations required object {} pro​labels required object {} pro​
Labels are extra labels for this resource.
labels required object {} pro​centralAdmission required object pro​
CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission required object pro​validatingWebhooks required object[] pro​
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
validatingWebhooks required object[] pro​kind required string pro​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string pro​apiVersion required string pro​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string pro​metadata required object pro​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object pro​name required string pro​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string pro​labels required object pro​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object pro​annotations required object pro​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object pro​webhooks required object[] pro​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] pro​name required string pro​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string pro​clientConfig required object pro​
ClientConfig defines how to communicate with the hook.
clientConfig required object pro​url required string pro​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string pro​scheme://host:port/path). Exactly one of url or service
must be specified.service required object pro​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object pro​service or url must be specified.service.namespace required string pro​
Namespace is the namespace of the service.
namespace required string pro​name required string pro​
Name is the name of the service.
name required string pro​path required string pro​
Path is an optional URL path which will be sent in any request to
this service.
path required string pro​port required integer pro​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer pro​port should be a valid port number (1-65535, inclusive).caBundle required string pro​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string pro​rules required object[] pro​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] pro​failurePolicy required string pro​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string pro​matchPolicy required string pro​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string pro​namespaceSelector required object pro​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object pro​objectSelector required object pro​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object pro​sideEffects required string pro​
SideEffects states whether this webhook has side effects.
sideEffects required string pro​timeoutSeconds required integer pro​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer pro​admissionReviewVersions required string[] pro​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] pro​AdmissionReview
versions the Webhook expects.matchConditions required object[] pro​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] pro​mutatingWebhooks required object[] pro​
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
mutatingWebhooks required object[] pro​kind required string pro​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string pro​apiVersion required string pro​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string pro​metadata required object pro​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object pro​name required string pro​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string pro​labels required object pro​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object pro​annotations required object pro​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object pro​webhooks required object[] pro​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] pro​reinvocationPolicy required string pro​
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
reinvocationPolicy required string pro​name required string pro​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string pro​clientConfig required object pro​
ClientConfig defines how to communicate with the hook.
clientConfig required object pro​url required string pro​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string pro​scheme://host:port/path). Exactly one of url or service
must be specified.service required object pro​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object pro​service or url must be specified.service.namespace required string pro​
Namespace is the namespace of the service.
namespace required string pro​name required string pro​
Name is the name of the service.
name required string pro​path required string pro​
Path is an optional URL path which will be sent in any request to
this service.
path required string pro​port required integer pro​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer pro​port should be a valid port number (1-65535, inclusive).caBundle required string pro​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string pro​rules required object[] pro​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] pro​failurePolicy required string pro​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string pro​matchPolicy required string pro​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string pro​namespaceSelector required object pro​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object pro​objectSelector required object pro​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object pro​sideEffects required string pro​
SideEffects states whether this webhook has side effects.
sideEffects required string pro​timeoutSeconds required integer pro​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer pro​admissionReviewVersions required string[] pro​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] pro​AdmissionReview
versions the Webhook expects.matchConditions required object[] pro​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] pro​