The hierarchical model of the isolation modes (restrictions) for TCA global, VIMs, and CNFs allow you to migrate your existing VIMS and CNFs to a secure mode and enforce the restrictions on the new clusters or CNFs that you create.
The hierarchical model of the isolation modes:
- Global default isolation mode: Sets the default isolation mode for Kubernetes clusters.
- VIM level default isolation: Inherits global isolation mode, and this is the isolation mode of CNFs deployed into the cluster. However, you can edit the settings by navigating to and then clicking the Options (three dots) corresponding to the cloud instance.
- CNF level isolation mode: Inherits VIM isolation mode and you can edit the settings. The settings that you modify apply to the next CNF operation.
Prerequisites
To perform this operation, you'll need the Admin privilege.
Procedure
- Log in to the VMware Telco Cloud Automation user interface.
- Go to .
- From the Default Isolation Mode drop-down list, select one of the isolation modes to be applied to the Kubernetes clusters:
- Permissive: No restriction is applied during LCM operations or proxy remote accesses.
Restricted: Each Network Function has access to its namespace, and no access is granted to any other namespace or cluster-level resources. Also, PSA and RBAC policies are applied which protect the cluster against malicious code in PODs and protects Kubernetes resources as well.
Note:
By default, the Kubernetes VIMs are in permissive mode, and no cluster-level privilege separation is enforced. To enable restricted policies, you must set the isolation mode to Restricted.
PodSecurity: Only Pod Security Admission (PSA) policies will be applied in this mode. Middle level of security: Protects the cluster against malicious code in PODs if right pod security standard is applied but does not protect against accessing unauthorized cluster resources.
- Click Update.
