All Policies
Generate NetworkPolicy to Existing Namespaces
A NetworkPolicy is often a critical piece when provisioning new Namespaces, but there may be existing Namespaces which also need the same resource. Creating each one individually or manipulating each Namespace in order to trigger creation is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
Policy Definition
/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: generate-networkpolicy-existing
5 annotations:
6 policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: Namespace, NetworkPolicy
10 kyverno.io/kyverno-version: 1.7.0
11 policies.kyverno.io/minversion: 1.7.0
12 kyverno.io/kubernetes-version: "1.23"
13 policies.kyverno.io/description: >-
14 A NetworkPolicy is often a critical piece when provisioning new Namespaces,
15 but there may be existing Namespaces which also need the same resource. Creating
16 each one individually or manipulating each Namespace in order to trigger creation
17 is additional overhead. This policy creates a new NetworkPolicy for existing
18 Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
19spec:
20 generateExisting: true
21 rules:
22 - name: generate-existing-networkpolicy
23 match:
24 any:
25 - resources:
26 kinds:
27 - Namespace
28 generate:
29 kind: NetworkPolicy
30 apiVersion: networking.k8s.io/v1
31 name: default-deny
32 namespace: "{{request.object.metadata.name}}"
33 synchronize: true
34 data:
35 metadata:
36 labels:
37 created-by: kyverno
38 spec:
39 podSelector: {}
40 policyTypes:
41 - Egress