mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

update default network policy to deny all ingress traffic

Browse source
This commit is contained in:
Shuting Zhao 2019-10-10 11:08:20 -07:00
parent 7fcc6bbd33
commit f1ed0720c4
3 changed files with 9 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
samples/README.md
View file

@ -45,8 +45,8 @@ To restrcit the priveleges it is recommend to run pod containers with `securityC
***Policy YAML***: [disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml) ***Policy YAML***: [disallow_priviledged_priviligedescalation.yaml](best_practices/disallow_priviledged_priviligedescalation.yaml)
## Default network policy ## Default deny all ingress traffic
When no policies are defined, Kubernetes allows all communications. Kubernetes network policies specify the access permissions for groups of pods providing basic level of security. Policies can be used to make sure networking policies are configured as per requirements. When no policies exist in a namespace, Kubernetes allows all ingress and egress traffic to and from pods in that namespace. A "default" isolation policy for a namespace denys any ingress traffic to the pods in that namespace, this ensures that even pods that arent selected by any other NetworkPolicy will still be isolated.
***Policy YAML***: (TODO)[require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml) ***Policy YAML***: (TODO)[require_default_network_policy.yaml](best_practices/require_default_network_policy.yaml)

13
samples/best_practices/require_default_network_policy.yaml
View file

@ -1,10 +1,10 @@
apiVersion: kyverno.io/v1alpha1 apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy kind: ClusterPolicy
metadata: metadata:
name: defaultgeneratenetworkpolicy name: default-deny-ingress-networkpolicy
spec: spec:
rules: rules:
- name: "default-networkpolicy" - name: "default-deny-ingress"
match: match:
resources: resources:
kinds: kinds:
@ -12,17 +12,10 @@ spec:
name: "*" name: "*"
generate: generate:
kind: NetworkPolicy kind: NetworkPolicy
name: defaultnetworkpolicy name: default-deny-ingress
data: data:
spec: spec:
# select all pods in the namespace # select all pods in the namespace
podSelector: {} podSelector: {}
policyTypes: policyTypes:
- Ingress - Ingress
- Egress
# allow all ingress traffic from pods within this namespace
ingress:
- {}
# allow all egress traffic
egress:
- {}

8
test/scenarios/test/scenario_generate_networkPolicy.yaml
View file

@ -5,18 +5,18 @@ input:
expected: expected:
generation: generation:
generatedResources: generatedResources:
- name: defaultnetworkpolicy - name: default-deny-ingress
kind: NetworkPolicy kind: NetworkPolicy
namespace: devtest namespace: devtest
policyresponse: policyresponse:
policy: defaultgeneratenetworkpolicy policy: default-deny-ingress-networkpolicy
resource: resource:
kind: Namespace kind: Namespace
apiVersion: v1 apiVersion: v1
namespace: '' namespace: ''
name: devtest name: devtest
rules: rules:
- name: default-networkpolicy - name: default-deny-ingress
type: Generation type: Generation
success: true success: true
message: created resource NetworkPolicy/devtest/defaultnetworkpolicy message: created resource NetworkPolicy/devtest/default-deny-ingress