By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all network traffic is unencrypted. It is recommended to not use an empty podSelector in order to more closely control the necessary traffic flows. This policy requires that all NetworkPolicies other than that of `default-deny` not use an empty podSelector.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: restrict-networkpolicy-empty-podselectorannotations:policies.kyverno.io/title: Restrict NetworkPolicy with Empty podSelectorpolicies.kyverno.io/category: Other, Multi-Tenancypolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: NetworkPolicypolicies.kyverno.io/description: By default, all pods in a Kubernetes cluster are allowed to communicate with each other, and all network traffic is unencrypted. It is recommended to not use an empty podSelector in order to more closely control the necessary traffic flows. This policy requires that all NetworkPolicies other than that of `default-deny` not use an empty podSelector.spec:validationFailureAction: Auditbackground: truerules:- name: empty-podselectormatch:any:- resources:kinds:- NetworkPolicyexclude:any:- resources:kinds:- NetworkPolicynames:- default-denyvalidate:message: NetworkPolicies must not use an empty podSelector.deny:conditions:any:- key: "{{request.object.spec.podSelector.keys(@) | length(@)}}"operator: Equalsvalue: 0
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.