mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update add_networkPolicy

Browse source
This commit is contained in:
Jim Bugwadia 2019-11-10 21:27:50 -08:00
parent 244909ebb3
commit 5e8b6c4183
5 changed files with 15 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/testrunner/testrunner_test.go
View file

@ -22,8 +22,8 @@ func Test_validate_healthChecks(t *testing.T) {
testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml") testScenario(t, "/test/scenarios/other/scenario_validate_healthChecks.yaml")
} }
func Test_generate_networkPolicy(t *testing.T) { func Test_add_networkPolicy(t *testing.T) {
testScenario(t, "/test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml") testScenario(t, "/test/scenarios/samples/best_practices/add_networkPolicy.yaml")
} }
// namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver // namespace is blank, not "default" as testrunner evaulates the policyengine, but the "default" is added by kubeapiserver

6
samples/DefaultDenyAllIngress.md → samples/AddDefaultNetworkPolicy.md
View file

@ -1,8 +1,8 @@
# Default deny all ingress traffic # Default deny all ingress traffic
By default, Kubernetes allows all ingress and egress traffic to and from pods within a cluster. By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications.
A "default" `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in that namespace. Later, the application team can configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources. A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.
## Policy YAML ## Policy YAML
@ -12,7 +12,7 @@ A "default" `NetworkPolicy` should be configured for each namespace to default d
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: default-deny-ingress-networkpolicy name: add-networkpolicy
spec: spec:
rules: rules:
- name: "default-deny-ingress" - name: "default-deny-ingress"

2
samples/README.md
View file

@ -50,7 +50,7 @@ These policies are highly recommended.
12. [Restrict image registries](RestrictImageRegistries.md) 12. [Restrict image registries](RestrictImageRegistries.md)
13. [Require pod resource requests and limits](RequirePodRequestsLimits.md) 13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md) 14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
15. [Default deny all ingress traffic](DefaultDenyAllIngress.md) 15. [Add default network policy](DefaultDenyAllIngress.md)
16. [Add namespace resource quotas](AddNamespaceResourceQuota.md) 16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md) 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)

12
samples/best_practices/require_default_network_policy.yaml → samples/best_practices/add_network_policy.yaml
View file

@ -1,13 +1,15 @@
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: default-deny-ingress-networkpolicy name: add-networkpolicy
annotations: annotations:
policies.kyverno.io/category: NetworkPolicy policies.kyverno.io/category: NetworkPolicy
policies.kyverno.io/description: By default, Kubernetes allows all ingress and egress traffic policies.kyverno.io/description: By default, Kubernetes allows communications across
to and from pods within a cluster. A "default" NetworkPolicy resource for a namespace should all pods within a cluster. Network policies and, a CNI that supports network policies,
be used to deny all ingress traffic to the pods in that namespace. Additional NetworkPolicy must be used to restrict communinications. A default NetworkPolicy should be configured
resources can then be configured to allow desired traffic to application pods. for each namespace to default deny all ingress traffic to the pods in the namespace.
Application teams can then configure additional NetworkPolicy resources to allow
desired traffic to application pods from select sources.
spec: spec:
rules: rules:
- name: "default-deny-ingress" - name: "default-deny-ingress"

4
test/scenarios/samples/best_practices/scenario_generate_networkPolicy.yaml → test/scenarios/samples/best_practices/add_networkPolicy.yaml
View file

@ -1,6 +1,6 @@
# file path relative to project root # file path relative to project root
input: input:
policy: samples/best_practices/require_default_network_policy.yaml policy: samples/best_practices/add_network_policy.yaml
resource: test/resources/require_default_network_policy.yaml resource: test/resources/require_default_network_policy.yaml
expected: expected:
generation: generation:
@ -9,7 +9,7 @@ expected:
kind: NetworkPolicy kind: NetworkPolicy
namespace: devtest namespace: devtest
policyresponse: policyresponse:
policy: default-deny-ingress-networkpolicy policy: add-networkpolicy
resource: resource:
kind: Namespace kind: Namespace
apiVersion: v1 apiVersion: v1