A Kubernetes policy defines a set of permissions that are required in addition to the Read-Write access to the namespaces of the CNF. As a user with access to the CNF package, you can create a policy. When you create a policy, you only define the requirement for specific permissions. The virtual infrastructure administrator grants permission by creating a policy grant. A policy grant links the policy and VIM with a CNF package. A policy grant may also link with a specific CNF instance or a CNF LCM operation.

The following table lists the privileges and the corresponding accessible objects.
Table 1. Kubernetes Policy Privileges
Privilege Policy Template Policy Grant
System Administrtor  Read-Write Read-Write
Virtual Infrastructure Administrtor  Read-Write Read-Write
Virtual Infrastructure Audit Read-Write Read-Only
Virtual Infrastructure Consume Read-Write Read-Only
When you create a policy, it moves to the draft state with an expiration date set for the policy automatically. In the draft state, you can edit a policy, and every time you edit a policy, the expiration date is extended.
  • The draft policy is automatically deleted if you do not finalize it before the expiration date.
  • After granting a policy, it can no longer be edited or deleted.
The lifecycle of a policy is illustrated in the following diagram.

The policy and policy grant are used during LCM operations to prepare the context in which HELM is executed. Before executing a HELM operation, TCA creates or updates a service account and its corresponding roles, cluster roles, or role bindings to represent a context in which the CNF should be running. Based on policies and policy grants, TCA creates a set of CNF-specific roles or cluster roles and role bindings. These will make it possible for the service account to access global resources. Roles are created based on HELM to namespace mapping in the instantiated VNF to provide Read-Write access to the namespaces in which the CNF resides. These service accounts reside on a TCA-specific namespace and are labeled with the policy grant ID or the CNF instance ID. Proper labeling of the service accounts allows you to update or delete them when you no longer require them.