# ---
# apiVersion: kyverno.io/v1
# kind: ClusterPolicy
# metadata:
#   name: add-networkpolicy
#   labels: 
#     <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
#   annotations:
#     ansible.kubernetes.io/path: {{ item }}
#     policies.kyverno.io/title: Add Network Policy
#     policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
#     policies.kyverno.io/subject: NetworkPolicy
#     policies.kyverno.io/minversion: 1.6.0
#     policies.kyverno.io/description: >-
#       By default, Kubernetes allows communications across all Pods within a cluster.
#       The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
#       communications. A default NetworkPolicy should be configured for each Namespace to
#       default deny all ingress and egress traffic to the Pods in the Namespace. Application
#       teams can then configure additional NetworkPolicy resources to allow desired traffic
#       to application Pods from select sources. This policy will create a new NetworkPolicy resource
#       named `default-deny` which will deny all traffic anytime a new Namespace is created.      
# spec:
#   rules:
#   - name: default-deny
#     match:
#       any:
#       - resources:
#           kinds:
#           - Namespace
#     exclude:
#       any:
#       - resources:
#           namespaces:
#           - kube-metrics
#           - kube-policy
#           - kube-system
#           - default
#     generate:
#       apiVersion: networking.k8s.io/v1
#       kind: NetworkPolicy
#       name: default-deny
#       namespace: "{{'{{request.object.metadata.name}}'}}"
#       synchronize: true
#       data:
#         spec:
#           # select all pods in the namespace
#           podSelector: {}
#           # deny all traffic
#           policyTypes:
#           - Ingress
#           - Egress