Generate NetworkPolicy to Existing Namespaces

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: generate-networkpolicy-existing
 5  annotations:
 6    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Namespace, NetworkPolicy
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      A NetworkPolicy is often a critical piece when provisioning new Namespaces,
15      but there may be existing Namespaces which also need the same resource. Creating
16      each one individually or manipulating each Namespace in order to trigger creation
17      is additional overhead. This policy creates a new NetworkPolicy for existing
18      Namespaces which results in a default deny behavior and labels it with created-by=kyverno.
19spec:
20  generateExisting: true
21  rules:
22  - name: generate-existing-networkpolicy
23    match:
24      any:
25      - resources:
26          kinds:
27          - Namespace
28    generate:
29      kind: NetworkPolicy
30      apiVersion: networking.k8s.io/v1
31      name: default-deny
32      namespace: "{{request.object.metadata.name}}"
33      synchronize: true
34      data:
35        metadata:
36          labels:
37            created-by: kyverno
38        spec:
39          podSelector: {}
40          policyTypes:
41          - Egress