chore: migrated from internal repo

!1 nofusscomputing/infrastructure/config!28
2023-10-27 21:47:03 +09:30
parent e45190fab4
commit 93b63308ef
30 changed files with 7326 additions and 0 deletions
--- a/template-manifests/ClusterPolicy-manifest-network_default_network_policy.yaml
+++ b/template-manifests/ClusterPolicy-manifest-network_default_network_policy.yaml
@ -0,0 +1,51 @@
+# ---
+# apiVersion: kyverno.io/v1
+# kind: ClusterPolicy
+# metadata:
+#   name: add-networkpolicy
+#   labels: 
+#     <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
+#   annotations:
+#     ansible.kubernetes.io/path: {{ item }}
+#     policies.kyverno.io/title: Add Network Policy
+#     policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
+#     policies.kyverno.io/subject: NetworkPolicy
+#     policies.kyverno.io/minversion: 1.6.0
+#     policies.kyverno.io/description: >-
+#       By default, Kubernetes allows communications across all Pods within a cluster.
+#       The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
+#       communications. A default NetworkPolicy should be configured for each Namespace to
+#       default deny all ingress and egress traffic to the Pods in the Namespace. Application
+#       teams can then configure additional NetworkPolicy resources to allow desired traffic
+#       to application Pods from select sources. This policy will create a new NetworkPolicy resource
+#       named `default-deny` which will deny all traffic anytime a new Namespace is created.      
+# spec:
+#   rules:
+#   - name: default-deny
+#     match:
+#       any:
+#       - resources:
+#           kinds:
+#           - Namespace
+#     exclude:
+#       any:
+#       - resources:
+#           namespaces:
+#           - kube-metrics
+#           - kube-policy
+#           - kube-system
+#           - default
+#     generate:
+#       apiVersion: networking.k8s.io/v1
+#       kind: NetworkPolicy
+#       name: default-deny
+#       namespace: "{{'{{request.object.metadata.name}}'}}"
+#       synchronize: true
+#       data:
+#         spec:
+#           # select all pods in the namespace
+#           podSelector: {}
+#           # deny all traffic
+#           policyTypes:
+#           - Ingress
+#           - Egress