Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: kasten-generate-policy-by-preset-labelannotations:policies.kyverno.io/title: Generate Kasten Policy from Presetpolicies.kyverno.io/category: Veeam Kastenpolicies.kyverno.io/subject: Policykyverno.io/kyverno-version: 1.12.1policies.kyverno.io/minversion: 1.12.0kyverno.io/kubernetes-version: 1.24-1.30policies.kyverno.io/description: Generates a Kasten policy for a new namespace that includes a valid "dataprotection" label, if the policy does not already exist. Use with "kasten-validate-ns-by-preset-label" policy to require "dataprotection" labeling on new namespaces.spec:rules:- name: kasten-generate-policy-by-preset-labelmatch:any:- resources:kinds:- Namespaceselector:matchExpressions:- key: dataprotectionoperator: Invalues:- gold- silver- bronzecontext:- name: existingPolicyapiCall:urlPath: /apis/config.kio.kasten.io/v1alpha1/namespaces/kasten-io/policiesjmesPath: items[][[@.spec.presetRef][?name=='{{ request.object.metadata.labels.dataprotection }}'] && [@.spec.selector.matchExpressions[].values[?@=='{{ request.namespace }}']]][][][][] | length(@)preconditions:any:- key: "{{ existingPolicy }}"operator: Equalsvalue: 0generate:apiVersion: config.kio.kasten.io/v1alpha1kind: Policyname: "{{ request.namespace }}-{{ request.object.metadata.labels.dataprotection }}-backup"namespace: kasten-iodata:spec:comment: Auto-generated by Kyvernopaused: falseactions:- action: backuppresetRef:name: "{{ request.object.metadata.labels.dataprotection }}"namespace: kasten-ioselector:matchExpressions:- key: k10.kasten.io/appNamespaceoperator: Invalues:- "{{ request.namespace }}"
By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
By default, Kubernetes allows communication across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communication. A default NetworkPolicy should be configured for each Namespace to deny all egress traffic from the Pods while still allowing DNS resolution. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `allow-dns` when a new Namespace is created, which will deny all egress traffic while still allowing DNS queries to the kube-system Namespace.
Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.