All Policies

Add Network Policy for DNS

By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.

Policy Definition

/best-practices/add-networkpolicy-dns/add-networkpolicy-dns.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: add-networkpolicy-dns 5 annotations: 6 policies.kyverno.io/title: Add Network Policy for DNS 7 policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices 8 policies.kyverno.io/subject: NetworkPolicy 9 kyverno.io/kyverno-version: 1.6.2 10 policies.kyverno.io/minversion: 1.6.0 11 kyverno.io/kubernetes-version: "1.23" 12 policies.kyverno.io/description: >- 13 By default, Kubernetes allows communications across all Pods within a cluster. 14 The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict 15 communications. A default NetworkPolicy should be configured for each Namespace to 16 default deny all ingress and egress traffic to the Pods in the Namespace. Application 17 teams can then configure additional NetworkPolicy resources to allow desired traffic 18 to application Pods from select sources. This policy will create a new NetworkPolicy resource 19 named `default-deny` which will deny all traffic anytime a new Namespace is created. 20spec: 21 rules: 22 - name: add-netpol-dns 23 match: 24 any: 25 - resources: 26 kinds: 27 - Namespace 28 generate: 29 apiVersion: networking.k8s.io/v1 30 kind: NetworkPolicy 31 name: allow-dns 32 namespace: "{{request.object.metadata.name}}" 33 synchronize: false 34 data: 35 spec: 36 podSelector: 37 matchLabels: {} 38 policyTypes: 39 - Egress 40 egress: 41 - to: 42 - namespaceSelector: 43 matchLabels: 44 name: kube-system 45 ports: 46 - protocol: UDP 47 port: 53
yaml