All Policies

Add Network Policy for DNS

By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.

Policy Definition

/best-practices/add-networkpolicy-dns/add-networkpolicy-dns.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-networkpolicy-dns
 5  annotations:
 6    policies.kyverno.io/title: Add Network Policy for DNS
 7    policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
 8    policies.kyverno.io/subject: NetworkPolicy
 9    kyverno.io/kyverno-version: 1.6.2
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/description: >-
13      By default, Kubernetes allows communications across all Pods within a cluster.
14      The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
15      communications. A default NetworkPolicy should be configured for each Namespace to
16      default deny all ingress and egress traffic to the Pods in the Namespace. Application
17      teams can then configure additional NetworkPolicy resources to allow desired traffic
18      to application Pods from select sources. This policy will create a new NetworkPolicy resource
19      named `default-deny` which will deny all traffic anytime a new Namespace is created.
20spec:
21  rules:
22  - name: add-netpol-dns
23    match:
24      any:
25      - resources: 
26          kinds:
27          - Namespace
28    generate:
29      apiVersion: networking.k8s.io/v1
30      kind: NetworkPolicy
31      name: allow-dns
32      namespace: "{{request.object.metadata.name}}"
33      synchronize: false
34      data:
35        spec:
36          podSelector:
37            matchLabels: {}
38          policyTypes:
39          - Egress
40          egress:
41          - to:
42            - namespaceSelector:
43                matchLabels:
44                  name: kube-system
45            ports:
46            - protocol: UDP
47              port: 53