mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-06 16:06:56 +00:00
2641120907
* added logic for handling generate request * generate rules added * added label condition for generate * remove extra logs * remove extra logs * buf fixed * bug fixed * added logic for delete gr * log fixed * documentation changed * remove best practices changes * bug fix * added best pratice
41 lines
No EOL
1.2 KiB
Markdown
41 lines
No EOL
1.2 KiB
Markdown
# Default deny all ingress traffic
|
|
|
|
By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communinications.
|
|
|
|
A default `NetworkPolicy` should be configured for each namespace to default deny all ingress traffic to the pods in the namespace. Application teams can then configure additional `NetworkPolicy` resources to allow desired traffic to application pods from select sources.
|
|
|
|
## Policy YAML
|
|
|
|
[add_network_policy.yaml](best_practices/add_network_policy.yaml)
|
|
|
|
````yaml
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: add-networkpolicy
|
|
spec:
|
|
rules:
|
|
- name: default-deny-ingress
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
name: "*"
|
|
exclude:
|
|
namespaces:
|
|
- "kube-system"
|
|
- "default"
|
|
- "kube-public"
|
|
- "kyverno"
|
|
generate:
|
|
kind: NetworkPolicy
|
|
name: default-deny-ingress
|
|
namespace: "{{request.object.metadata.name}}"
|
|
data:
|
|
spec:
|
|
# select all pods in the namespace
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
|
|
```` |