1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2024-12-14 11:57:48 +00:00
kyverno/test/best_practices/add_network_policy.yaml
Charles-Edouard Brétéché 7562bea6db
chore: apply policy fixes (#8427)
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2023-09-17 22:24:26 +00:00

44 lines
1.3 KiB
YAML

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Workload Management
policies.kyverno.io/description: By default, Kubernetes allows communications
across all pods within a cluster. Network policies and, a CNI that supports
network policies, must be used to restrict communinications. A default NetworkPolicy
should be configured for each namespace to default deny all ingress traffic
to the pods in the namespace. Application teams can then configure additional
NetworkPolicy resources to allow desired traffic to application pods from select
sources.
name: add-networkpolicy
spec:
admission: true
background: true
rules:
- exclude:
any:
- resources:
namespaces:
- kube-system
- default
- kube-public
- kyverno
generate:
data:
spec:
podSelector: {}
policyTypes:
- Ingress
kind: NetworkPolicy
name: default-deny-ingress
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
name: '*'
name: default-deny-ingress
validationFailureAction: Audit