2019-11-13 13:56:20 -08:00
|
|
|
apiVersion: kyverno.io/v1
|
2019-10-09 18:52:48 -07:00
|
|
|
kind: ClusterPolicy
|
|
|
|
|
metadata:
|
2019-11-10 21:27:50 -08:00
|
|
|
name: add-networkpolicy
|
2019-10-11 18:57:16 -07:00
|
|
|
annotations:
|
2019-11-11 18:21:16 -08:00
|
|
|
policies.kyverno.io/category: Workload Management
|
2019-11-10 21:27:50 -08:00
|
|
|
policies.kyverno.io/description: By default, Kubernetes allows communications across
|
|
|
|
|
all pods within a cluster. Network policies and, a CNI that supports network policies,
|
|
|
|
|
must be used to restrict communinications. A default NetworkPolicy should be configured
|
|
|
|
|
for each namespace to default deny all ingress traffic to the pods in the namespace.
|
|
|
|
|
Application teams can then configure additional NetworkPolicy resources to allow
|
|
|
|
|
desired traffic to application pods from select sources.
|
2019-10-09 18:52:48 -07:00
|
|
|
spec:
|
|
|
|
|
rules:
|
2019-10-10 11:08:20 -07:00
|
|
|
- name: "default-deny-ingress"
|
2019-10-09 18:52:48 -07:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Namespace
|
2019-10-09 23:46:18 -07:00
|
|
|
name: "*"
|
2019-10-09 18:52:48 -07:00
|
|
|
generate:
|
|
|
|
|
kind: NetworkPolicy
|
2019-10-10 11:08:20 -07:00
|
|
|
name: default-deny-ingress
|
2019-10-09 18:52:48 -07:00
|
|
|
data:
|
|
|
|
|
spec:
|
|
|
|
|
# select all pods in the namespace
|
|
|
|
|
podSelector: {}
|
|
|
|
|
policyTypes:
|
2019-10-14 10:47:54 -07:00
|
|
|
- Ingress
|
