mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-06 16:06:56 +00:00
Code Activity
kyverno/samples/AddDefaultNetworkPolicy.md
Yuvraj 2641120907
Generate policy does not work on namespace update (#1085) 
* added logic for handling generate request

* generate rules added

* added label condition for generate

* remove extra logs

* remove extra logs

* buf fixed

* bug fixed

* added logic for delete gr

* log fixed

* documentation changed

* remove best practices changes

* bug fix

* added best pratice
2020-08-31 11:25:13 -07:00

1.2 KiB
Raw Blame History

Default deny all ingress traffic

By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications.

A default NetworkPolicy should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application pods from select sources.

Policy YAML

add_network_policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
spec:
  rules:
  - name: default-deny-ingress
    match:
      resources: 
        kinds:
        - Namespace
        name: "*"
    exclude:
      namespaces:
        - "kube-system"
        - "default"
        - "kube-public"
        - "kyverno"
    generate: 
      kind: NetworkPolicy
      name: default-deny-ingress
      namespace: "{{request.object.metadata.name}}"
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          policyTypes: 
          - Ingress