Add Network Policy

By default, Kubernetes allows communications across all pods within a cluster. Network policies and, a CNI that supports network policies, must be used to restrict communications. A default NetworkPolicy should be configured for each namespace to default deny all ingress and egress traffic to the pods in the namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application pods from select sources.

Policy Definition

/best-practices/add_network_policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy
  annotations:
    policies.kyverno.io/title: Add Network Policy
    policies.kyverno.io/category: Multi-Tenancy
    policies.kyverno.io/description: >-
      By default, Kubernetes allows communications across all pods within a cluster. 
      Network policies and, a CNI that supports network policies, must be used to restrict 
      communications. A default NetworkPolicy should be configured for each namespace to 
      default deny all ingress and egress traffic to the pods in the namespace. Application 
      teams can then configure additional NetworkPolicy resources to allow desired traffic 
      to application pods from select sources.
spec:
  validationFailureAction: audit
  rules:
  - name: default-deny
    match:
      resources: 
        kinds:
        - Namespace
    generate:
      kind: NetworkPolicy
      name: default-deny
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          # deny all traffic
          policyTypes: 
          - Ingress
          - Egress
Last modified January 2, 2021: fix title & sort and regen policies (fa7e171)