Network policy example

This section provides permissions and examples for policy on the network::/ realm.

Network policy permissions

The follow policy defines the permissions for resources in the network::/ realm:

network::/ {
  if (permit == all) {
    permit create, read, join, delete
  }
}

For a job to join a network, both the job and the network must have permit join claims (a two-way handshake is required, in other words). See example below.

Network policy example

In the policy defined below, user1 has permission to join the /prod::net1 virtual network, but only the admin user is allowed to create virtual networks in the /prod namespace. However, user1 can create virtual networks in their sandbox namespace (/sandbox/user1).

network::/prod::* {
    if (auth_server@apcera.me->name == "admin"){
        permit create, join
    }
}
network::/prod::net1 {
    if (auth_server@apcera.me->name == "user1"){
        permit join
    }
}
network::/sandbox/user1::* {
    if (auth_server@apcera.me->name == "user1"){
        permit create, join
    }
}

In addition, there must be a corresponding permit join claim on the target job that wants to join to a network. For example, the following policy allows any job in the /sandbox/user1 namespace to join the /prod::net1 network referenced above:

job::/sandbox/user1::* {
    if (network fqnMatch "network::/prod::net1") {
        permit join
    }
}

The following policy uses templates to permit a user to create networks in their sandbox namespace, and join any job in their sandbox to any network in the same namespace.

network::/sandbox/[name] {
    { permit create, read }
    if (job fqnMatch "job::/sandbox/[name]") {
        permit join
    }
}
job::/sandbox/[name] {
    if (network fqnMatch "network::/sandbox/[name]") {
        permit join
    }
}