kyverno/test/best_practices/add_network_policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
  annotations:
    policies.kyverno.io/category: Workload Management
    policies.kyverno.io/description: By default, Kubernetes allows communications across 
      all pods within a cluster. Network policies and, a CNI that supports network policies, 
      must be used to restrict communinications. A default NetworkPolicy should be configured 
      for each namespace to default deny all ingress traffic to the pods in the namespace. 
      Application teams can then configure additional NetworkPolicy resources to allow 
      desired traffic to application pods from select sources.
spec:
  validationFailureAction: audit
  rules:
  - name: default-deny-ingress
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    exclude:
      resources:
        namespaces:
          - "kube-system"
          - "default"
          - "kube-public"
          - "kyverno"
    generate: 
      kind: NetworkPolicy
      name: default-deny-ingress
      namespace: "{{request.object.metadata.name}}"
      synchronize : true
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress
update api in samples/ 2019-11-13 13:56:20 -08:00			`apiVersion: kyverno.io/v1`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`kind: ClusterPolicy`
			`metadata:`
update add_networkPolicy 2019-11-10 21:27:50 -08:00			`name: add-networkpolicy`
Provide descriptions for policies 2019-10-11 18:57:16 -07:00			`annotations:`
update categories and links 2019-11-11 18:21:16 -08:00			`policies.kyverno.io/category: Workload Management`
update add_networkPolicy 2019-11-10 21:27:50 -08:00			`policies.kyverno.io/description: By default, Kubernetes allows communications across`
			`all pods within a cluster. Network policies and, a CNI that supports network policies,`
			`must be used to restrict communinications. A default NetworkPolicy should be configured`
			`for each namespace to default deny all ingress traffic to the pods in the namespace.`
			`Application teams can then configure additional NetworkPolicy resources to allow`
			`desired traffic to application pods from select sources.`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`spec:`
add validateFailureAction to all policies (#1068) 2020-08-19 14:04:58 -07:00			`validationFailureAction: audit`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`rules:`
update documentation 2019-12-10 09:51:15 -08:00			`- name: default-deny-ingress`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`match:`
			`resources:`
			`kinds:`
			`- Namespace`
update readme 2019-10-09 23:46:18 -07:00			`name: "*"`
Generate policy does not work on namespace update (#1085) * added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice 2020-08-31 23:55:13 +05:30			`exclude:`
manifest fixes; typos; linting (#1240) 2020-11-11 15:55:02 -05:00			`resources:`
			`namespaces:`
			`- "kube-system"`
			`- "default"`
			`- "kube-public"`
			`- "kyverno"`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`generate:`
			`kind: NetworkPolicy`
update default network policy to deny all ingress traffic 2019-10-10 11:08:20 -07:00			`name: default-deny-ingress`
593 feature (#594) * initial commit * background policy validation * correct message * skip non-background policy process for add/update * add Generate Request CR * generate Request Generator Initial * test generate request CR generation * initial commit gr generator * generate controller initial framework * add crd for generate request * gr cleanup controller initial commit * cleanup controller initial * generate mid-commit * generate rule processing * create PV on generate error * embed resource type * testing phase 1- generate resources with variable substitution * fix tests * comment broken test #586 * add printer column for state * return if existing resource for clone * set resync time to 2 mins & remove resource version check in update handler for gr * generate events for reporting * fix logs * initial commit * fix trailing quote in patch * remove comments * initial condition (equal & notequal) * initial support for conditions * initial support fo conditions in generate * support precondition checks * cleanup * re-evaluate GR on namespace update using dynamic informers * add status for generated resources * display loaded variable SA * support delete cleanup of generate request main resources * fix log * remove namespace from SA username * support multiple variables per statement for scalar values * fix fail variables * add check for userInfo * validation checks for conditions * update policy * refactor logs * code review * add openapispec for clusterpolicy preconditions * Update documentation * CR fixes * documentation * CR fixes * update variable * fix logs * update policy * pre-defined variables (serviceAccountName & serviceAccountNamespace) * update test 2020-01-07 15:13:57 -08:00			`namespace: "{{request.object.metadata.name}}"`
Added Synchronize flag in Generate Request (#980) * fix Synchronize flag issue 2020-07-13 13:42:11 -07:00			`synchronize : true`
add samples/best_practices/require_default_network_policy.yaml 2019-10-09 18:52:48 -07:00			`data:`
			`spec:`
			`# select all pods in the namespace`
			`podSelector: {}`
			`policyTypes:`
documentation updates 2019-10-14 10:47:54 -07:00			`- Ingress`