update default network policy to deny all ingress traffic

samples/README.md

@@ -45,8 +45,8 @@ To restrcit the priveleges it is recommend to run pod containers with `securityC
 
 ***Policy YAML***: [disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
 
-## Default network policy
-When no policies are defined, Kubernetes allows all communications. Kubernetes network policies specify the access permissions for groups of pods providing basic level of security. Policies can be used to make sure networking policies are configured as per requirements.
+## Default deny all ingress traffic
+When no policies exist in a namespace, Kubernetes allows all ingress and egress traffic to and from pods in that namespace. A "default" isolation policy for a namespace denys any ingress traffic to the pods in that namespace, this ensures that even pods that aren’t selected by any other NetworkPolicy will still be isolated.
 
 ***Policy YAML***: (TODO)[require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml)
 

samples/best_practices/require_default_network_policy.yaml

@@ -1,10 +1,10 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: defaultgeneratenetworkpolicy
+  name: default-deny-ingress-networkpolicy
 spec:
   rules:
-  - name: "default-networkpolicy"
+  - name: "default-deny-ingress"
     match:
       resources: 
         kinds:
@@ -12,17 +12,10 @@ spec:
         name: "*"
     generate: 
       kind: NetworkPolicy
-      name: defaultnetworkpolicy
+      name: default-deny-ingress
       data:
         spec:
           # select all pods in the namespace
           podSelector: {}
           policyTypes: 
           - Ingress
-          - Egress
-          # allow all ingress traffic from pods within this namespace
-          ingress:
-          - {}
-          # allow all egress traffic
-          egress:
-          - {}

test/scenarios/test/scenario_generate_networkPolicy.yaml

@@ -5,18 +5,18 @@ input:
 expected:
   generation:
     generatedResources:
-      - name: defaultnetworkpolicy
+      - name: default-deny-ingress
         kind: NetworkPolicy
         namespace: devtest
     policyresponse:
-      policy: defaultgeneratenetworkpolicy
+      policy: default-deny-ingress-networkpolicy
       resource:
         kind: Namespace
         apiVersion: v1
         namespace: ''
         name: devtest
       rules:
-        - name: default-networkpolicy
+        - name: default-deny-ingress
           type: Generation
           success: true
-          message: created resource NetworkPolicy/devtest/defaultnetworkpolicy
+          message: created resource NetworkPolicy/devtest/default-deny-ingress