All Policies
Create Istio Deny AuthorizationPolicy
An AuthorizationPolicy enables access controls on workloads in the mesh. It supports per-Namespace controls which can be a union of different behaviors. This policy creates a default deny AuthorizationPolicy for all new Namespaces. Further AuthorizationPolicies should be created to more granularly allow traffic as permitted. Use of this policy will likely require granting the Kyverno ServiceAccount additional privileges required to generate AuthorizationPolicy resources.
Policy Definition
/istio/create-authorizationpolicy/create-authorizationpolicy.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: create-authorizationpolicy
5 annotations:
6 policies.kyverno.io/title: Create Istio Deny AuthorizationPolicy
7 policies.kyverno.io/category: Istio
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.8.0
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kubernetes-version: "1.24"
12 policies.kyverno.io/subject: AuthorizationPolicy
13 policies.kyverno.io/description: >-
14 An AuthorizationPolicy enables access controls on workloads in the mesh. It supports per-Namespace controls
15 which can be a union of different behaviors. This policy creates a default deny AuthorizationPolicy
16 for all new Namespaces. Further AuthorizationPolicies should be created to more granularly allow
17 traffic as permitted. Use of this policy will likely require granting the Kyverno ServiceAccount
18 additional privileges required to generate AuthorizationPolicy resources.
19spec:
20 rules:
21 - name: generate-deny-authorizationpolicy
22 match:
23 any:
24 - resources:
25 kinds:
26 - Namespace
27 generate:
28 apiVersion: security.istio.io/v1beta1
29 kind: AuthorizationPolicy
30 name: default-deny
31 namespace: "{{request.object.metadata.name}}"
32 synchronize: true
33 data:
34 spec: {}