Policies
This feature is only available for the following:
Network policies in the virtual cluster rely on the support for this feature in the host cluster. Make sure that your host cluster satisfies the network policy prerequisites.
Policies cover several different topics:
- Limit ranges control the storage / CPU / memory that each pod may request.
- Resource quotas.
- Pod security standards
- Network policies like network isolation.
- Admission webhooks
- Central Admission Control
- The admission controller is typically running on the host cluster, where the policies enforced by the webhook cannot be changed by the virtual cluster.
- Users could deploy their own admission webhooks to the virtual cluster, but there's little value in doing so, and this configuration is not concerned with that use case.
- Some examples of admission controller projects:
- It's common for organizations to develop an in-house collection of policies that can enforce naming standards etc.
You can use these settings separately for specific cases, or together, as in the case of Isolated Mode.
Config reference​
policies required object ​
Policies to enforce for the virtual cluster deployment as well as within the virtual cluster.
policies required object ​networkPolicy required object ​
NetworkPolicy specifies network policy options.
networkPolicy required object ​enabled required boolean false ​
Enabled defines if the network policy should be deployed by vCluster.
enabled required boolean false ​annotations required object {} ​
Annotations are extra annotations for this resource.
annotations required object {} ​labels required object {} ​
Labels are extra labels for this resource.
labels required object {} ​fallbackDns required string 8.8.8.8 ​
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
fallbackDns required string 8.8.8.8 ​controlPlane required object ​
ControlPlane network policy rules
controlPlane required object ​ingress required object[] ​
Ingress rules for the vCluster control plane.
ingress required object[] ​ports required object[] ​
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] ​protocol required string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string ​port required object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object ​endPort required integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer ​from required object[] ​
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from required object[] ​podSelector required object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object ​namespaceSelector required object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ​ipBlock required object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object ​cidr required string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string ​except required string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] ​egress required object[] ​
Egress rules for the vCluster control plane.
egress required object[] ​ports required object[] ​
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] ​protocol required string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string ​port required object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object ​endPort required integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer ​to required object[] ​
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to required object[] ​podSelector required object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object ​namespaceSelector required object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ​ipBlock required object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object ​cidr required string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string ​except required string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] ​workload required object ​
Workload network policy rules
workload required object ​publicEgress required object ​
PublicEgress holds the public outgoing connections options for the vCluster workloads.
publicEgress required object ​enabled required boolean true ​
Enabled defines if the workload public egress should be enabled or disabled.
enabled required boolean true ​cidr required string 0.0.0.0/0 ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string 0.0.0.0/0 ​except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] [100.64.0.0/10 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16] ​ingress required object[] ​
Ingress rules for the vCluster workloads.
ingress required object[] ​ports required object[] ​
ports is a list of ports which should be made accessible on the pods selected for
this rule. Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] ​protocol required string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string ​port required object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object ​endPort required integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer ​from required object[] ​
from is a list of sources which should be able to access the pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all sources (traffic not restricted by
source). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the from list.
from required object[] ​podSelector required object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object ​namespaceSelector required object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ​ipBlock required object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object ​cidr required string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string ​except required string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] ​egress required object[] ​
Egress rules for the vCluster workloads.
egress required object[] ​ports required object[] ​
ports is a list of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If this field is
empty or missing, this rule matches all ports (traffic not restricted by port).
If this field is present and contains at least one item, then this rule allows
traffic only if the traffic matches at least one port in the list.
ports required object[] ​protocol required string ​
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
If not specified, this field defaults to TCP.
protocol required string ​port required object ​
port represents the port on the given protocol. This can either be a numerical or named
port on a pod. If this field is not provided, this matches all port names and
numbers.
If present, only traffic on the specified protocol AND port will be matched.
port required object ​endPort required integer ​
endPort indicates that the range of ports from port to endPort if set, inclusive,
should be allowed by the policy. This field cannot be defined if the port field
is not defined or if the port field is defined as a named (string) port.
The endPort must be equal or greater than port.
endPort required integer ​to required object[] ​
to is a list of destinations for outgoing traffic of pods selected for this rule.
Items in this list are combined using a logical OR operation. If this field is
empty or missing, this rule matches all destinations (traffic not restricted by
destination). If this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item in the to list.
to required object[] ​podSelector required object ​
podSelector is a label selector which selects pods. This field follows standard label
selector semantics; if present but empty, it selects all pods.
If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the Namespaces selected by NamespaceSelector.
Otherwise it selects the pods matching podSelector in the policy's own namespace.
podSelector required object ​namespaceSelector required object ​
namespaceSelector selects namespaces using cluster-scoped labels. This field follows
standard label selector semantics; if present but empty, it selects all namespaces.
If podSelector is also set, then the NetworkPolicyPeer as a whole selects
the pods matching podSelector in the namespaces selected by namespaceSelector.
Otherwise it selects all pods in the namespaces selected by namespaceSelector.
namespaceSelector required object ​ipBlock required object ​
ipBlock defines policy on a particular IPBlock. If this field is set then
neither of the other fields can be.
ipBlock required object ​cidr required string ​
CIDR defines the allowed workload public egress destination.
Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
cidr required string ​except required string[] ​
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected.
Valid examples are "192.168.1.0/24" or "2001:db8::/64".
except required string[] ​podSecurityStandard required string ​
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
podSecurityStandard required string ​resourceQuota required object ​
ResourceQuota specifies resource quota options.
resourceQuota required object ​enabled required string|boolean auto ​
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled,
the resourceQuota will be enabled as well.
enabled required string|boolean auto ​quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] ​
Quota are the quota options
quota required object map[count/configmaps:100 count/endpoints:40 count/persistentvolumeclaims:20 count/pods:20 count/secrets:100 count/services:20 limits.cpu:20 limits.ephemeral-storage:160Gi limits.memory:40Gi requests.cpu:10 requests.ephemeral-storage:60Gi requests.memory:20Gi requests.storage:100Gi services.loadbalancers:1 services.nodeports:0] ​scopeSelector required object map[matchExpressions:[]] ​
ScopeSelector is the resource quota scope selector
scopeSelector required object map[matchExpressions:[]] ​scopes required string[] [] ​
Scopes are the resource quota scopes
scopes required string[] [] ​annotations required object {} ​
Annotations are extra annotations for this resource.
annotations required object {} ​labels required object {} ​
Labels are extra labels for this resource.
labels required object {} ​limitRange required object ​
LimitRange specifies limit range options.
limitRange required object ​enabled required string|boolean auto ​
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled,
the limitRange will be enabled as well.
enabled required string|boolean auto ​default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] ​
Default are the default limits for the limit range
default required object map[cpu:1 ephemeral-storage:8Gi memory:512Mi] ​defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] ​
DefaultRequest are the default request options for the limit range
defaultRequest required object map[cpu:100m ephemeral-storage:3Gi memory:128Mi] ​max required object {} ​
Max are the max limits for the limit range
max required object {} ​min required object {} ​
Min are the min limits for the limit range
min required object {} ​annotations required object {} ​
Annotations are extra annotations for this resource.
annotations required object {} ​labels required object {} ​
Labels are extra labels for this resource.
labels required object {} ​centralAdmission required object ​
CentralAdmission defines what validating or mutating webhooks should be enforced within the virtual cluster.
centralAdmission required object ​validatingWebhooks required object[] ​
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
validatingWebhooks required object[] ​kind required string ​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string ​apiVersion required string ​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string ​metadata required object ​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object ​name required string ​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string ​labels required object ​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object ​annotations required object ​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object ​webhooks required object[] ​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] ​name required string ​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string ​clientConfig required object ​
ClientConfig defines how to communicate with the hook.
clientConfig required object ​url required string ​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string ​scheme://host:port/path). Exactly one of url or service
must be specified.service required object ​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object ​service or url must be specified.service.namespace required string ​
Namespace is the namespace of the service.
namespace required string ​name required string ​
Name is the name of the service.
name required string ​path required string ​
Path is an optional URL path which will be sent in any request to
this service.
path required string ​port required integer ​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer ​port should be a valid port number (1-65535, inclusive).caBundle required string ​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string ​rules required object[] ​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] ​failurePolicy required string ​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string ​matchPolicy required string ​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string ​namespaceSelector required object ​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object ​objectSelector required object ​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object ​sideEffects required string ​
SideEffects states whether this webhook has side effects.
sideEffects required string ​timeoutSeconds required integer ​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer ​admissionReviewVersions required string[] ​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] ​AdmissionReview
versions the Webhook expects.matchConditions required object[] ​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] ​mutatingWebhooks required object[] ​
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
mutatingWebhooks required object[] ​kind required string ​
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
kind required string ​apiVersion required string ​
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
apiVersion required string ​metadata required object ​
Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
metadata required object ​name required string ​
Name must be unique within a namespace. Is required when creating resources, although
some resources may allow a client to request the generation of an appropriate name
automatically. Name is primarily intended for creation idempotence and configuration
definition.
name required string ​labels required object ​
Map of string keys and values that can be used to organize and categorize
(scope and select) objects. May match selectors of replication controllers
and services.
labels required object ​annotations required object ​
Annotations is an unstructured key value map stored with a resource that may be
set by external tools to store and retrieve arbitrary metadata.
annotations required object ​webhooks required object[] ​
Webhooks is a list of webhooks and the affected resources and operations.
webhooks required object[] ​reinvocationPolicy required string ​
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
Allowed values are "Never" and "IfNeeded".
reinvocationPolicy required string ​name required string ​
The name of the admission webhook.
Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
"imagepolicy" is the name of the webhook, and kubernetes.io is the name
of the organization.
name required string ​clientConfig required object ​
ClientConfig defines how to communicate with the hook.
clientConfig required object ​url required string ​
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
url required string ​scheme://host:port/path). Exactly one of url or service
must be specified.service required object ​
Service is a reference to the service for this webhook. Either
service or url must be specified.
If the webhook is running within the cluster, then you should use service.
service required object ​service or url must be specified.service.namespace required string ​
Namespace is the namespace of the service.
namespace required string ​name required string ​
Name is the name of the service.
name required string ​path required string ​
Path is an optional URL path which will be sent in any request to
this service.
path required string ​port required integer ​
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
port required integer ​port should be a valid port number (1-65535, inclusive).caBundle required string ​
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
If unspecified, system trust roots on the apiserver are used.
caBundle required string ​rules required object[] ​
Rules describes what operations on what resources/subresources the webhook cares about.
The webhook cares about an operation if it matches any Rule.
rules required object[] ​failurePolicy required string ​
FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
allowed values are Ignore or Fail. Defaults to Fail.
failurePolicy required string ​matchPolicy required string ​
matchPolicy defines how the "rules" list is used to match incoming requests.
Allowed values are "Exact" or "Equivalent".
matchPolicy required string ​namespaceSelector required object ​
NamespaceSelector decides whether to run the webhook on an object based
on whether the namespace for that object matches the selector. If the
object itself is a namespace, the matching is performed on
object.metadata.labels. If the object is another cluster scoped resource,
it never skips the webhook.
namespaceSelector required object ​objectSelector required object ​
ObjectSelector decides whether to run the webhook based on if the
object has matching labels. objectSelector is evaluated against both
the oldObject and newObject that would be sent to the webhook, and
is considered to match if either object matches the selector.
objectSelector required object ​sideEffects required string ​
SideEffects states whether this webhook has side effects.
sideEffects required string ​timeoutSeconds required integer ​
TimeoutSeconds specifies the timeout for this webhook.
timeoutSeconds required integer ​admissionReviewVersions required string[] ​
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
admissionReviewVersions required string[] ​AdmissionReview
versions the Webhook expects.matchConditions required object[] ​
MatchConditions is a list of conditions that must be met for a request to be sent to this
webhook. Match conditions filter requests that have already been matched by the rules,
namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
There are a maximum of 64 match conditions allowed.
matchConditions required object[] ​