NetworkPolicy is used to control Pod-to-Pod communication and is a good practice to ensure only authorized Pods can send/receive traffic. This policy checks incoming Deployments to ensure they have a matching, preexisting NetworkPolicy.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-network-policyannotations:policies.kyverno.io/title: Require NetworkPolicypolicies.kyverno.io/category: Samplepolicies.kyverno.io/minversion: 1.6.0kyverno.io/kyverno-version: 1.6.2kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Deployment, NetworkPolicypolicies.kyverno.io/description: NetworkPolicy is used to control Pod-to-Pod communication and is a good practice to ensure only authorized Pods can send/receive traffic. This policy checks incoming Deployments to ensure they have a matching, preexisting NetworkPolicy.spec:validationFailureAction: Auditbackground: falserules:- name: require-network-policymatch:any:- resources:kinds:- Deploymentpreconditions:any:- key: "{{request.operation || 'BACKGROUND'}}"operator: Equalsvalue: CREATEcontext:- name: policies_countapiCall:urlPath: /apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpoliciesjmesPath: items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)validate:message: Every Deployment requires a matching NetworkPolicy.deny:conditions:any:- key: "{{policies_count}}"operator: LessThanvalue: 1
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.