All Policies
Add Network Policy for DNS
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
Policy Definition
/best-practices/add-networkpolicy-dns/add-networkpolicy-dns.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-networkpolicy-dns
5 annotations:
6 policies.kyverno.io/title: Add Network Policy for DNS
7 policies.kyverno.io/category: Multi-Tenancy, EKS Best Practices
8 policies.kyverno.io/subject: NetworkPolicy
9 kyverno.io/kyverno-version: 1.6.2
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.23"
12 policies.kyverno.io/description: >-
13 By default, Kubernetes allows communications across all Pods within a cluster.
14 The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict
15 communications. A default NetworkPolicy should be configured for each Namespace to
16 default deny all ingress and egress traffic to the Pods in the Namespace. Application
17 teams can then configure additional NetworkPolicy resources to allow desired traffic
18 to application Pods from select sources. This policy will create a new NetworkPolicy resource
19 named `default-deny` which will deny all traffic anytime a new Namespace is created.
20spec:
21 rules:
22 - name: add-netpol-dns
23 match:
24 any:
25 - resources:
26 kinds:
27 - Namespace
28 generate:
29 apiVersion: networking.k8s.io/v1
30 kind: NetworkPolicy
31 name: allow-dns
32 namespace: "{{request.object.metadata.name}}"
33 synchronize: false
34 data:
35 spec:
36 podSelector:
37 matchLabels: {}
38 policyTypes:
39 - Egress
40 egress:
41 - to:
42 - namespaceSelector:
43 matchLabels:
44 name: kube-system
45 ports:
46 - protocol: UDP
47 port: 53