52 lines
1.8 KiB
YAML
52 lines
1.8 KiB
YAML
# ---
|
|
# apiVersion: kyverno.io/v1
|
|
# kind: ClusterPolicy
|
|
# metadata:
|
|
# name: add-networkpolicy
|
|
# labels:
|
|
# <<: {{ kubernetes_config.defaults.labels.deployment_labels | from_yaml }}
|
|
# annotations:
|
|
# ansible.kubernetes.io/path: {{ item }}
|
|
# policies.kyverno.io/title: Add Network Policy
|
|
# policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
|
|
# policies.kyverno.io/subject: NetworkPolicy
|
|
# policies.kyverno.io/minversion: 1.6.0
|
|
# policies.kyverno.io/description: >-
|
|
# By default, Kubernetes allows communications across all Pods within a cluster.
|
|
# The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
|
|
# communications. A default NetworkPolicy should be configured for each Namespace to
|
|
# default deny all ingress and egress traffic to the Pods in the Namespace. Application
|
|
# teams can then configure additional NetworkPolicy resources to allow desired traffic
|
|
# to application Pods from select sources. This policy will create a new NetworkPolicy resource
|
|
# named `default-deny` which will deny all traffic anytime a new Namespace is created.
|
|
# spec:
|
|
# rules:
|
|
# - name: default-deny
|
|
# match:
|
|
# any:
|
|
# - resources:
|
|
# kinds:
|
|
# - Namespace
|
|
# exclude:
|
|
# any:
|
|
# - resources:
|
|
# namespaces:
|
|
# - kube-metrics
|
|
# - kube-policy
|
|
# - kube-system
|
|
# - default
|
|
# generate:
|
|
# apiVersion: networking.k8s.io/v1
|
|
# kind: NetworkPolicy
|
|
# name: default-deny
|
|
# namespace: "{{'{{request.object.metadata.name}}'}}"
|
|
# synchronize: true
|
|
# data:
|
|
# spec:
|
|
# # select all pods in the namespace
|
|
# podSelector: {}
|
|
# # deny all traffic
|
|
# policyTypes:
|
|
# - Ingress
|
|
# - Egress
|