From 5e8b6c418328ef2de15c29b0a13e6f5732ddf0e8 Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Sun, 10 Nov 2019 21:27:50 -0800 Subject: [PATCH] update add_networkPolicy --- pkg/testrunner/testrunner_test.go | 4 ++-- ...tDenyAllIngress.md => AddDefaultNetworkPolicy.md} | 6 +++--- samples/README.md | 2 +- ...t_network_policy.yaml => add_network_policy.yaml} | 12 +++++++----- ...ate_networkPolicy.yaml => add_networkPolicy.yaml} | 4 ++-- 5 files changed, 15 insertions(+), 13 deletions(-) rename samples/{DefaultDenyAllIngress.md => AddDefaultNetworkPolicy.md} (54%) rename samples/best_practices/{require_default_network_policy.yaml => add_network_policy.yaml} (52%) rename test/scenarios/samples/best_practices/{scenario_generate_networkPolicy.yaml => add_networkPolicy.yaml} (82%) diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index a6fe4bbd86..d1f968eb39 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -22,8 +22,8 @@ func Test_validate_healthChecks(t *testing.T) { testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml") } -func Test_generate_networkPolicy(t *testing.T) { - testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml") +func Test_add_networkPolicy(t *testing.T) { + testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml") } // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver diff --git a/samples/DefaultDenyAllIngress.md b/samples/AddDefaultNetworkPolicy.md similarity index 54% rename from samples/DefaultDenyAllIngress.md rename to samples/AddDefaultNetworkPolicy.md index 6620530e03..66981cd627 100644 --- a/samples/DefaultDenyAllIngress.md +++ b/samples/AddDefaultNetworkPolicy.md @@ -1,8 +1,8 @@ # Default deny all ingress traffic -By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. +By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications. -A "default" `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in that namespace. Later, the application team can configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. +A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. ## Policy YAML @@ -12,7 +12,7 @@ A "default" `NetworkPolicy` should be configured for each namespace to default d apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: default-deny-ingress-networkpolicy + name: add-networkpolicy spec: rules: - name: "default-deny-ingress" diff --git a/samples/README.md b/samples/README.md index 998af156ab..23ae283981 100644 --- a/samples/README.md +++ b/samples/README.md @@ -50,7 +50,7 @@ These policies are highly recommended. 12. [Restrict image registries](RestrictImageRegistries.md) 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) -15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) +15. [Add default network policy](DefaultDenyAllIngress.md) 16. [Add namespace resource quotas](AddNamespaceResourceQuota.md) 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) diff --git a/samples/best_practices/require_default_network_policy.yaml b/samples/best_practices/add_network_policy.yaml similarity index 52% rename from samples/best_practices/require_default_network_policy.yaml rename to samples/best_practices/add_network_policy.yaml index 11886de3f5..d349b5b2bb 100644 --- a/samples/best_practices/require_default_network_policy.yaml +++ b/samples/best_practices/add_network_policy.yaml @@ -1,13 +1,15 @@ apiVersion: kyverno.io/v1alpha1 kind: ClusterPolicy metadata: - name: default-deny-ingress-networkpolicy + name: add-networkpolicy annotations: policies.kyverno.io/category: NetworkPolicy - policies.kyverno.io/description: By default, Kubernetes allows all ingress and egress traffic - to and from pods within a cluster. A "default" NetworkPolicy resource for a namespace should - be used to deny all ingress traffic to the pods in that namespace. Additional NetworkPolicy - resources can then be configured to allow desired traffic to application pods. + policies.kyverno.io/description: By default, Kubernetes allows communications across + all pods within a cluster. Network policies and, a CNI that supports network policies, + must be used to restrict communinications. A default NetworkPolicy should be configured + for each namespace to default deny all ingress traffic to the pods in the namespace. + Application teams can then configure additional NetworkPolicy resources to allow + desired traffic to application pods from select sources. spec: rules: - name: "default-deny-ingress" diff --git a/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml b/test/scenarios/samples/best_practices/add_networkPolicy.yaml similarity index 82% rename from test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml rename to test/scenarios/samples/best_practices/add_networkPolicy.yaml index 37e7910092..f5a8942c15 100644 --- a/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml +++ b/test/scenarios/samples/best_practices/add_networkPolicy.yaml @@ -1,6 +1,6 @@ # file path relative to project root input: - policy: samples/best_practices/require_default_network_policy.yaml + policy: samples/best_practices/add_network_policy.yaml resource: test/resources/require_default_network_policy.yaml expected: generation: @@ -9,7 +9,7 @@ expected: kind: NetworkPolicy namespace: devtest policyresponse: - policy: default-deny-ingress-networkpolicy + policy: add-networkpolicy resource: kind: Namespace apiVersion: v1