# --- # apiVersion: kyverno.io/v1 # kind: ClusterPolicy # metadata: # name: add-networkpolicy-dns # labels: # <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }} # annotations: # ansible.kubernetes.io/path: {{ item }} # policies.kyverno.io/title: Add Network Policy for DNS # policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices # policies.kyverno.io/subject: NetworkPolicy # kyverno.io/kyverno-version: 1.6.2 # policies.kyverno.io/minversion: 1.6.0 # kyverno.io/kubernetes-version: "1.23" # policies.kyverno.io/description: >- # By default, Kubernetes allows communications across all Pods within a cluster. # The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict # communications. A default NetworkPolicy should be configured for each Namespace to # default deny all ingress and egress traffic to the Pods in the Namespace. Application # teams can then configure additional NetworkPolicy resources to allow desired traffic # to application Pods from select sources. This policy will create a new NetworkPolicy resource # named `default-deny` which will deny all traffic anytime a new Namespace is created. # spec: # generateExistingOnPolicyUpdate: true # rules: # - name: add-netpol-dns # match: # any: # - resources: # kinds: # - Namespace # exclude: # any: # - resources: # namespaces: # - kube-metrics # - kube-policy # - kube-system # - default # generate: # apiVersion: networking.k8s.io/v1 # kind: NetworkPolicy # name: allow-dns # namespace: "{{'{{request.object.metadata.name}}'}}" # synchronize: true # data: # spec: # podSelector: # matchLabels: {} # policyTypes: # - Egress # egress: # - to: # - namespaceSelector: # matchLabels: # name: kube-system # ports: # - protocol: UDP # port: 53