apiVersion: kyverno.io/v1alpha1
kind: ClusterPolicy
metadata:
  name: default-deny-ingress-networkpolicy
  annotations:
    policies.kyverno.io/category: NetworkPolicy
    policies.kyverno.io/description: By default, Kubernetes allows all ingress and egress traffic 
      to and from pods within a cluster. A "default" NetworkPolicy resource for a namespace should 
      be used to deny all ingress traffic to the pods in that namespace. Additional NetworkPolicy 
      resources can then be configured to allow desired traffic to application pods.
spec:
  rules:
  - name: "default-deny-ingress"
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    generate: 
      kind: NetworkPolicy
      name: default-deny-ingress
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress