mirror of
https://github.com/kyverno/kyverno.git
synced 2024-12-14 11:57:48 +00:00
7562bea6db
Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
44 lines
1.3 KiB
YAML
44 lines
1.3 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Workload Management
|
|
policies.kyverno.io/description: By default, Kubernetes allows communications
|
|
across all pods within a cluster. Network policies and, a CNI that supports
|
|
network policies, must be used to restrict communinications. A default NetworkPolicy
|
|
should be configured for each namespace to default deny all ingress traffic
|
|
to the pods in the namespace. Application teams can then configure additional
|
|
NetworkPolicy resources to allow desired traffic to application pods from select
|
|
sources.
|
|
name: add-networkpolicy
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
rules:
|
|
- exclude:
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- kube-system
|
|
- default
|
|
- kube-public
|
|
- kyverno
|
|
generate:
|
|
data:
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
kind: NetworkPolicy
|
|
name: default-deny-ingress
|
|
namespace: '{{request.object.metadata.name}}'
|
|
synchronize: true
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
name: '*'
|
|
name: default-deny-ingress
|
|
validationFailureAction: Audit
|