This policy guards against harvester creating a network for a restricted VLAN in unauthorized namespaces.
| Field | Description |
|---|---|
| namespaceVLANBindings map[string, NamespaceVLANBinding] |
A map of namespace VLAN bindings. |
| Field | Description |
|---|---|
| namespace string |
The namespace. |
| vlan int |
The VLAN for the Harvester VM Network. |
- All bound namespaces must use their respective bound VLANs.
- All bound VLANs must use their respective bound namespaces.
- Any namespace or VLAN that isn't bound, is unrestricted.
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: restricted-network-policy-1
spec:
module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network:latest
rules:
- apiGroups: ["kubevirt.io"]
apiVersions: ["v1"]
resources: ["virtualmachines"]
operations: ["CREATE", "UPDATE"]
settings:
namespaceVLANBindings:
- namespace: test-restricted-1
vlan: 42
- namespace: test-restricted-2
vlan: 1337
mutating: false
policyServer: defaultThe following examples are with the example policy above, with a random non-restricted VLAN being 100.
| Namespace | VLAN ID | Result |
|---|---|---|
| test-restricted-1 | 42 | ALLOW |
| test-restricted-2 | 1337 | ALLOW |
| random-namespace | 100 | ALLOW |
| test-restricted-1 | 1337 | REJECT |
| test-restricted-2 | 42 | REJECT |
| random-namespace | 42 | REJECT |
| random-namespace | 1337 | REJECT |
| test-restricted-1 | 100 | REJECT |
| test-restricted-2 | 100 | REJECT |