update add_networkPolicy

2024-12-14 11:57:48 +00:00 · 2019-11-10 21:27:50 -08:00 · 2019-11-10 21:27:50 -08:00 · 5e8b6c4183
commit 5e8b6c4183
parent 244909ebb3
5 changed files with 15 additions and 13 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -22,8 +22,8 @@ func Test_validate_healthChecks(t *testing.T) {
 	testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")
 }

-func Test_generate_networkPolicy(t *testing.T) {
-	testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml")
+func Test_add_networkPolicy(t *testing.T) {
+	testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml")
 }

 // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver
--- a/samples/AddDefaultNetworkPolicy.md
+++ b/samples/AddDefaultNetworkPolicy.md
@ -1,8 +1,8 @@
 # Default deny all ingress traffic

-By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. 
+By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications. 

-A "default" `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in that namespace. Later, the application team can configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.
+A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.

 ## Policy YAML 

@ -12,7 +12,7 @@ A "default" `NetworkPolicy` should be configured for each namespace to default d
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: default-deny-ingress-networkpolicy
+  name: add-networkpolicy
 spec:
  rules:
  - name: "default-deny-ingress"
--- a/samples/README.md
+++ b/samples/README.md
@ -50,7 +50,7 @@ These policies are highly recommended.
 12. [Restrict image registries](RestrictImageRegistries.md)
 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
+15. [Add default network policy](DefaultDenyAllIngress.md)
 16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)

--- a/samples/best_practices/require_default_network_policy.yaml
+++ b/samples/best_practices/require_default_network_policy.yaml
@ -1,13 +1,15 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: default-deny-ingress-networkpolicy
+  name: add-networkpolicy
  annotations:
    policies.kyverno.io/category: NetworkPolicy
-    policies.kyverno.io/description: By default, Kubernetes allows all ingress and egress traffic 
-      to and from pods within a cluster. A "default" NetworkPolicy resource for a namespace should 
-      be used to deny all ingress traffic to the pods in that namespace. Additional NetworkPolicy 
-      resources can then be configured to allow desired traffic to application pods.
+    policies.kyverno.io/description: By default, Kubernetes allows communications across 
+      all pods within a cluster. Network policies and, a CNI that supports network policies, 
+      must be used to restrict communinications. A default NetworkPolicy should be configured 
+      for each namespace to default deny all ingress traffic to the pods in the namespace. 
+      Application teams can then configure additional NetworkPolicy resources to allow 
+      desired traffic to application pods from select sources.
 spec:
  rules:
  - name: "default-deny-ingress"
--- a/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml
+++ b/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml
@ -1,6 +1,6 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/require_default_network_policy.yaml
+  policy: samples/best_practices/add_network_policy.yaml
  resource: test/resources/require_default_network_policy.yaml
 expected:
  generation:
@ -9,7 +9,7 @@ expected:
        kind: NetworkPolicy
        namespace: devtest
    policyresponse:
-      policy: default-deny-ingress-networkpolicy
+      policy: add-networkpolicy
      resource:
        kind: Namespace
        apiVersion: v1