mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 09:26:54 +00:00
c796bb765c
* fix: return policies with either audit or enforce rules from the cache Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: introduce validationFailureAction under verifyImage rules Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * feat: add chainsaw tests Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * fix Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> --------- Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com>
40 lines
1.4 KiB
YAML
40 lines
1.4 KiB
YAML
---
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
annotations:
|
|
policies.kyverno.io/category: Multi-Tenancy
|
|
policies.kyverno.io/description: 'By default, Kubernetes allows communications
|
|
across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in
|
|
that supports NetworkPolicy must be used to restrict communications. A default
|
|
NetworkPolicy should be configured for each Namespace to default deny all ingress
|
|
and egress traffic to the Pods in the Namespace. Application teams can then
|
|
configure additional NetworkPolicy resources to allow desired traffic to application
|
|
Pods from select sources. This policy will create a new NetworkPolicy resource
|
|
named `default-deny` which will deny all traffic anytime a new Namespace is
|
|
created. '
|
|
policies.kyverno.io/subject: NetworkPolicy
|
|
policies.kyverno.io/title: Add Network Policy
|
|
name: add-networkpolicy
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
rules:
|
|
- generate:
|
|
apiVersion: networking.k8s.io/v1
|
|
data:
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
kind: NetworkPolicy
|
|
name: default-deny
|
|
namespace: '{{request.object.metadata.name}}'
|
|
synchronize: true
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
name: default-deny
|