All Policies
Add Network Policy
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
Policy Definition
/best-practices/add_network_policy.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-networkpolicy
5 annotations:
6 policies.kyverno.io/title: Add Network Policy
7 policies.kyverno.io/category: Multi-Tenancy
8 policies.kyverno.io/subject: NetworkPolicy
9 policies.kyverno.io/description: >-
10 By default, Kubernetes allows communications across all Pods within a cluster.
11 The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
12 communications. A default NetworkPolicy should be configured for each Namespace to
13 default deny all ingress and egress traffic to the Pods in the Namespace. Application
14 teams can then configure additional NetworkPolicy resources to allow desired traffic
15 to application Pods from select sources. This policy will create a new NetworkPolicy resource
16 named `default-deny` which will deny all traffic anytime a new Namespace is created.
17spec:
18 validationFailureAction: audit
19 rules:
20 - name: default-deny
21 match:
22 resources:
23 kinds:
24 - Namespace
25 generate:
26 kind: NetworkPolicy
27 name: default-deny
28 namespace: "{{request.object.metadata.name}}"
29 synchronize: true
30 data:
31 spec:
32 # select all pods in the namespace
33 podSelector: {}
34 # deny all traffic
35 policyTypes:
36 - Ingress
37 - Egress