Name	Name	Last commit message	Last commit date
parent directory ..
cmd	cmd
internal/logger	internal/logger
.gitignore	.gitignore
Makefile	Makefile
README.md	README.md
e2e.bats	e2e.bats
go.mod	go.mod
go.sum	go.sum
metadata.yml	metadata.yml
settings.sample.json	settings.sample.json

Name

Last commit message

Last commit date

harvester-restricted-network-vm

This policy protects Harvester VM networks, by specifying which namespaces are allowed.

Settings

Field	Description
namespaceNetworkBindings map[string, NamespaceNetworkBinding]	A map of namespace network bindings.

NamespaceNetworkBinding

Field	Description
namespace string	The namespace.
network string	The Harvester VM Network in the format `namespace/network-name`.

Specifications

You should be able to create a VM with any of the specified combinations of namespace and network.
You should not be able to create a VM from any namespace or network that is in the settings, but the exact combination is not in the settings.
Any namespace or network that is not on the settings is not restricted

Example

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: restricted-network-vm-policy-1
spec:
  module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network-vm:latest
  rules:
    - apiGroups: ["kubevirt.io"]
      apiVersions: ["v1"]
      resources: ["virtualmachines"]
      operations: ["CREATE", "UPDATE"]
  settings:
    namespaceNetworkBindings:
      - namespace: test-restricted-1-network-1
        network:  test-restricted-1-network-1/network-1
      - namespace: test-restricted-2-network-1
        network:  test-restricted-1-network-1/network-1
      - namespace: test-restricted-3-network-3
        network:  test-restricted-3-network-3/network-3
  mutating: false
  policyServer: default

Here would be the result of the above policy.

Namespace	Network	Result
test-restricted-1-network-1	test-restricted-1-network-1/network-1	ALLOW
test-restricted-2-network-1	test-restricted-1-network-1/network-1	ALLOW
test-restricted-3-network-3	test-restricted-3-network-3/network-3	ALLOW
random-namespace	random-network	ALLOW
test-restricted-3-network-3	test-restricted-1-network-1/network-1	REJECT
test-restricted-1-network-1	test-restricted-3-network-3/network-3	REJECT
random-namespace	test-restricted-1-network-1/network-1	REJECT
random-namespace	test-restricted-3-network-3/network-3	REJECT
test-restricted-1-network-1	random-network	REJECT
test-restricted-2-network-2	random-network	REJECT
test-restricted-3-network-3	random-network	REJECT

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

harvester-restricted-network-vm

Settings

NamespaceNetworkBinding

Specifications

Example

FilesExpand file tree

harvester-restricted-network-vm

Directory actions

More options

Directory actions

More options

Latest commit

History

harvester-restricted-network-vm

Folders and files

parent directory

README.md

harvester-restricted-network-vm

Settings

NamespaceNetworkBinding

Specifications

Example