Add Linkerd Policy Annotation

Linkerd will, by default, allow all incoming traffic to Pods in the mesh including that from outside the cluster network. In many cases, this default needs to be changed to deny all traffic so it may be selectively opened using Linkerd policy objects. This policy sets the annotation `config.linkerd.io/default-inbound-policy` to `deny`, if not present, for new Namespaces. It can be customized with exclusions to more tightly control its application.

Policy Definition

/linkerd/add-linkerd-policy-annotation/add-linkerd-policy-annotation.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-linkerd-policy-annotation
 5  annotations:
 6    policies.kyverno.io/title: Add Linkerd Policy Annotation
 7    policies.kyverno.io/category: Linkerd
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Namespace,Annotation
10    policies.kyverno.io/description: >-
11      Linkerd will, by default, allow all incoming traffic to Pods in the mesh
12      including that from outside the cluster network. In many cases, this default
13      needs to be changed to deny all traffic so it may be selectively
14      opened using Linkerd policy objects. This policy sets the annotation
15      `config.linkerd.io/default-inbound-policy` to `deny`, if not present, for new Namespaces.
16      It can be customized with exclusions to more tightly control its application.
17spec:
18  rules:
19  - name: deny-inbound-namespace
20    match:
21      any:
22      - resources:
23          kinds:
24          - Namespace
25    mutate:
26      patchStrategicMerge:
27        metadata:
28          annotations:
29            +(config.linkerd.io/default-inbound-policy): deny

Create policy issue