All Policies

Generate NetworkPolicy to Existing Namespaces

A NetworkPolicy is often a critical piece when provisioning new Namespaces, but there may be existing Namespaces which also need the same resource. Creating each one individually or manipulating each Namespace in order to trigger creation is additional overhead. This policy creates a new NetworkPolicy for existing Namespaces which results in a default deny behavior and labels it with created-by=kyverno.

Policy Definition

/other/generate-networkpolicy-existing/generate-networkpolicy-existing.yaml

1apiVersion: kyverno.io/v1 2kind: ClusterPolicy 3metadata: 4 name: generate-networkpolicy-existing 5 annotations: 6 policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces 7 policies.kyverno.io/category: Other 8 policies.kyverno.io/severity: medium 9 policies.kyverno.io/subject: Namespace, NetworkPolicy 10 kyverno.io/kyverno-version: 1.7.0 11 policies.kyverno.io/minversion: 1.7.0 12 kyverno.io/kubernetes-version: "1.23" 13 policies.kyverno.io/description: >- 14 A NetworkPolicy is often a critical piece when provisioning new Namespaces, 15 but there may be existing Namespaces which also need the same resource. Creating 16 each one individually or manipulating each Namespace in order to trigger creation 17 is additional overhead. This policy creates a new NetworkPolicy for existing 18 Namespaces which results in a default deny behavior and labels it with created-by=kyverno. 19spec: 20 generateExisting: true 21 rules: 22 - name: generate-existing-networkpolicy 23 match: 24 any: 25 - resources: 26 kinds: 27 - Namespace 28 generate: 29 kind: NetworkPolicy 30 apiVersion: networking.k8s.io/v1 31 name: default-deny 32 namespace: "{{request.object.metadata.name}}" 33 synchronize: true 34 data: 35 metadata: 36 labels: 37 created-by: kyverno 38 spec: 39 podSelector: {} 40 policyTypes: 41 - Egress
yaml