Subnetpool Policy Examples

This section provides policy examples for using subnet pools. Subnets pools are used with virtual networks.

Subnetpool policy permissions

The follow policy defines the permissions for resources in the subnetpool::/ realm:

subnetpool::/ {
  if (permit == all) {
    permit create, read, delete
  }
}

Subnetpool policy example

The following example allows members of LDAP group named, "devops" to read a subnet pool, pool-1 in /prod namespace. The "devops" users can create a virtual network with IP address range specified by the subnetpool::/prod::pool-1 if necessary. Any job in /prod namespace can join any virtual network in /prod namespace.

subnetpool::/prod::pool-1 {
  if (user->group == "devops"){
    permit read
  }
}

network::/prod {
  if (user->group == "devops"){
    permit create, read, delete
  }

  if (job fqnMatch "job::/prod") {
    permit join
  }
}

job::/prod {
  if (network fqnMatch "network::/prod") {
    permit join
  }
}