Objective

Create comprehensive reference documentation docs/content/reference/isolation-levels.md that clearly answers "Does HyperShift support kernel-level isolation?" with evidence from E2E tests.

Parent Work Item

This task is part of CNTRLPLANE-2630: E2E test for OCPSTRAT-2217 VM-level and Hosted Cluster Isolation levels

Deliverables

Create docs/content/reference/isolation-levels.md with:

Section 1: Executive Summary

• Clear "YES" answer to kernel-level isolation support
• Quick overview of isolation levels
• Link to test evidence

Section 2: VM-Based Control Plane Isolation (Kernel-Level)

• Is kernel-level isolation supported? → YES
• Implementation details (KubeVirt + OpenShift Virtualization)
• Technical evidence from test/e2e/isolation_kubevirt_test.go
• Security properties:
  • Kernel namespace isolation (PID, network, mount)
  • Resource isolation (cgroups v2)
  • Network isolation (VirtLauncher NetworkPolicies)
  • Hypervisor enforcement (KVM)
• Compliance mapping (ANSSI BP-028, Common Criteria)
• Deployment YAML example
• Verification commands

Section 3: Container-Based Isolation (NetworkPolicy)

• For non-KubeVirt platforms
• NetworkPolicy-based pod isolation
• Namespace segregation
• Konnectivity proxy
• VPC/VNet cloud-level isolation

Section 4: Shared Nothing Topology (Maximum Isolation)

• Combining KubeVirt + Shared Nothing
• Deployment example
• Isolation levels achieved

Section 5: RFP Question Reference

• Quick answers to common RFP questions
• Evidence pointers
• Compliance statements

ANSSI BP-028 Compliance Mapping Table

Key Message Template

Q: Does HyperShift support kernel-level isolation?

A: YES - HyperShift provides kernel-level isolation through the KubeVirt platform. Each Hosted Control Plane runs in dedicated Virtual Machines with:

• Separate kernel instances (verified via test/e2e/isolation_kubevirt_test.go)
• KVM hypervisor-enforced boundaries
• Independent system namespaces (PID, network, mount)
• cgroups v2 resource isolation

Evidence: test/e2e/isolation_kubevirt_test.go::TestKubevirtKernelLevelIsolation

Verification Commands Section

h1. Get management cluster kernel
oc debug node/[mgmt-node] -- chroot /host uname -r

h1. Get hosted cluster VM kernel
oc --kubeconfig [cluster]-kubeconfig debug node/[guest-node] -- chroot /host uname -r

h1. Verify VirtLauncher NetworkPolicy
oc get networkpolicy -n clusters-[cluster-name] virt-launcher -o yaml

Acceptance Criteria

• Documentation clearly answers: "Does HyperShift support kernel-level isolation?" → YES
• ANSSI BP-028 compliance mapping complete and accurate
• Common Criteria (CC) compliance mapping included
• Test evidence clearly referenced
• Verification commands tested and working
• All code examples validated
• Markdown renders correctly
• Follows HyperShift documentation style guide

Files to Reference

• test/e2e/isolation_kubevirt_test.go - Test evidence
• docs/content/how-to/distribute-hosted-cluster-workloads.md - Existing workload distribution docs
• docs/content/how-to/kubevirt/create-kubevirt-cluster.md - KubeVirt platform guide
• hypershift-operator/controllers/hostedcluster/network_policies.go - NetworkPolicy implementation

Dependencies

• E2E test implementation complete with passing results
• Test evidence artifacts available

Estimated Time

2-3 days