Skip to content

harvester-pci-devices

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

harvester-pci-devices

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
cmd
cmd
 
 
internal
internal
 
 
test_data
test_data
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
e2e.bats
e2e.bats
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
metadata.yml
metadata.yml
 
 
settings.sample.json
settings.sample.json
 
 

README.md

Kubewarden Policy Repository Stable

harvester-pci-devices

This policy guards against VMs attaching PCI Devices (e.g., GPUs) without permission.

Settings

Field Description
namespaceDeviceindings
map[string, NamespaceDeviceBinding]		 A map of Harvester PCI Device bindings.

NamespaceDeviceBinding

Field Description
namespace
string		 The namespace.
device
string		 The ID of the PCI device.

Specifications

  1. You should be able to create a VM without a PCI Device
  2. You should not be able to bind a VM to a PCI Device not allocated to its namespace.

Example

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: harvester-pci-policy-1
spec:
  module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-pci-devices:latest
  rules:
    - apiGroups: ["kubevirt.io"]
      apiVersions: ["v1"]
      resources: ["virtualmachines"]
      operations: ["CREATE", "UPDATE"]
  settings:
    namespaceDeviceBindings:
      - namespace: test-ns-1
        device:  tekton27a-000001010
      - namespace: test-ns-2
        device:  tekton27b-000001010
  mutating: false
  policyServer: default

Here would be the result of the above policy.

Namespace PCI Device ID Result
test-ns-1 tekton27a-000001010 ALLOW
test-ns-2 tekton27b-000001010 ALLOW
test-ns-1 tekton27b-000001010 REJECT
test-ns-2 tekton27a-000001010 REJECT
random-namespace tekton27a-000001010 REJECT
random-namespace tekton27b-000001010 REJECT