|
| 1 | +image:https://github.com/kubewarden/community/blob/main/badges/kubewarden-policies.svg[Kubewarden Policy Repository, link=https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#policy-scope] |
| 2 | +image:https://img.shields.io/badge/status-stable-brightgreen?style=for-the-badge[Stable, link=https://github.com/kubewarden/community/blob/main/REPOSITORIES.md#stable] |
| 3 | + |
| 4 | +== harvester-restricted-network-vm |
| 5 | + |
| 6 | +This policy protects Harvester VM networks, by specifying which namespaces are allowed. |
| 7 | + |
| 8 | +=== Settings |
| 9 | + |
| 10 | +|=== |
| 11 | +| Field | Description |
| 12 | + |
| 13 | +| namespaceNetworkBindings |
| 14 | + |
| 15 | +map[string, link:#settingsNamespaceNetworkBinding[Namespace Network Binding]] | A map of namespace network bindings. |
| 16 | +|=== |
| 17 | + |
| 18 | +[[settingsNamespaceNetworkBinding]] |
| 19 | +==== Namespace Network Binding |
| 20 | + |
| 21 | +|=== |
| 22 | +| Field | Description |
| 23 | + |
| 24 | +| namespaces |
| 25 | + |
| 26 | +string | The namespace. |
| 27 | + |
| 28 | +| network |
| 29 | + |
| 30 | +string | The Harvester VM Network in the format `namespace/network-name`. |
| 31 | +|=== |
| 32 | + |
| 33 | +=== Specifications |
| 34 | + |
| 35 | +1. You should be able to create a VM with any of the specified combinations of namespace and network. |
| 36 | +2. You should not be able to create a VM from any namespace or network that is in the settings, but the exact combination is not in the settings. |
| 37 | +3. Any namespace or network that is not on the settings is not restricted |
| 38 | + |
| 39 | +=== Example |
| 40 | + |
| 41 | +[source, yaml] |
| 42 | +---- |
| 43 | +apiVersion: policies.kubewarden.io/v1 |
| 44 | +kind: ClusterAdmissionPolicy |
| 45 | +metadata: |
| 46 | + name: restricted-network-vm-policy-1 |
| 47 | +spec: |
| 48 | + module: registry://ghcr.io/suse/openplatform-kubewarden-policies/harvester-restricted-network-vm:latest |
| 49 | + rules: |
| 50 | + - apiGroups: ["kubevirt.io"] |
| 51 | + apiVersions: ["v1"] |
| 52 | + resources: ["virtualmachines"] |
| 53 | + operations: ["CREATE", "UPDATE"] |
| 54 | + settings: |
| 55 | + namespaceNetworkBindings: |
| 56 | + - namespace: test-restricted-1-network-1 |
| 57 | + network: test-restricted-1-network-1/network-1 |
| 58 | + - namespace: test-restricted-2-network-1 |
| 59 | + network: test-restricted-1-network-1/network-1 |
| 60 | + - namespace: test-restricted-3-network-3 |
| 61 | + network: test-restricted-3-network-3/network-3 |
| 62 | + mutating: false |
| 63 | + policyServer: default |
| 64 | +---- |
| 65 | + |
| 66 | +Here would be the result of the above policy. |
| 67 | + |
| 68 | +|=== |
| 69 | +| namespace | network | Result |
| 70 | + |
| 71 | +| test-restricted-1-network-1 | test-restricted-1-network-1/network-1 | ALLOW |
| 72 | +| test-restricted-2-network-1 | test-restricted-1-network-1/network-1 | ALLOW |
| 73 | +| test-restricted-3-network-3 | test-restricted-3-network-3/network-3 | ALLOW |
| 74 | +| random-namespace | random-network | ALLOW |
| 75 | +| test-restricted-3-network-3 | test-restricted-1-network-1/network-1 | REJECT |
| 76 | +| test-restricted-1-network-1 | test-restricted-3-network-3/network-3 | REJECT |
| 77 | +| random-namespace | test-restricted-1-network-1/network-1 | REJECT |
| 78 | +| random-namespace | test-restricted-3-network-3/network-3 | REJECT |
| 79 | +| test-restricted-1-network-1 | random-network | REJECT |
| 80 | +| test-restricted-2-network-2 | random-network | REJECT |
| 81 | +| test-restricted-3-network-3 | random-network | REJECT |
| 82 | +|=== |
0 commit comments