kyverno/samples/AddDefaultNetworkPolicy.md

# Default deny all ingress traffic

By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications. 

A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.

## Policy YAML 

[add_network_policy.yaml](best_practices/add_network_policy.yaml)

````yaml
apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
spec:
  rules:
  - name: "default-deny-ingress"
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    generate: 
      kind: NetworkPolicy
      name: default-deny-ingress
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress
````
reorganize samples 2019-10-23 14:06:03 -07:00			`# Default deny all ingress traffic`

update add_networkPolicy 2019-11-10 21:27:50 -08:00			`By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications.`
update descriptions... 2019-10-23 15:36:37 -07:00
update add_networkPolicy 2019-11-10 21:27:50 -08:00			A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.
reorganize samples 2019-10-23 14:06:03 -07:00
			`## Policy YAML`

update LimitNodePort 2019-11-10 21:34:22 -08:00			`[add_network_policy.yaml](best_practices/add_network_policy.yaml)`
reorganize samples 2019-10-23 14:06:03 -07:00
			````yaml
			`apiVersion: kyverno.io/v1alpha1`
			`kind: ClusterPolicy`
			`metadata:`
update add_networkPolicy 2019-11-10 21:27:50 -08:00			`name: add-networkpolicy`
reorganize samples 2019-10-23 14:06:03 -07:00			`spec:`
			`rules:`
			`- name: "default-deny-ingress"`
			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
			`name: "*"`
			`generate:`
			`kind: NetworkPolicy`
			`name: default-deny-ingress`
			`data:`
			`spec:`
			`# select all pods in the namespace`
			`podSelector: {}`
			`policyTypes:`
			`- Ingress`
			````