From f4cc5d30fc602e316717969e5f34b6b5f9d1f5db Mon Sep 17 00:00:00 2001
From: Shuting Zhao <shutting06@gmail.com>
Date: Wed, 4 Mar 2020 17:37:51 -0800
Subject: [PATCH] Add rules to disallow default namespace for pod controllers.

---
 .../disallow_default_namespace.yaml           | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/samples/best_practices/disallow_default_namespace.yaml b/samples/best_practices/disallow_default_namespace.yaml
index 64b1fe8844..477a9659b8 100644
--- a/samples/best_practices/disallow_default_namespace.yaml
+++ b/samples/best_practices/disallow_default_namespace.yaml
@@ -3,6 +3,7 @@ kind: ClusterPolicy
 metadata:
   name: disallow-default-namespace
   annotations:
+    pod-policies.kyverno.io/autogen-controllers: none	
     policies.kyverno.io/category: Workload Isolation
     policies.kyverno.io/description: Kubernetes namespaces are an optional feature 
       that provide a way to segment and isolate cluster resources across multiple 
@@ -31,4 +32,30 @@ spec:
       pattern:
         metadata:
           namespace: "?*"
+  - name: validate-podcontroller-namespace
+    match:
+      resources:
+        kinds:
+        - DaemonSet
+        - Deployment
+        - Job
+        - StatefulSet
+    validate:
+      message: "Using 'default' namespace is not allowed for podcontrollers"
+      pattern:
+        metadata:
+          namespace: "!default"
+  - name: require-podcontroller-namespace
+    match:
+      resources:
+        kinds:
+        - DaemonSet
+        - Deployment
+        - Job
+        - StatefulSet
+    validate:
+      message: "A namespace is required for podcontrollers"
+      pattern:
+        metadata:
+          namespace: "?*"