-
Notifications
You must be signed in to change notification settings - Fork 219
/
require-netpol.yaml
44 lines (44 loc) · 1.46 KB
/
require-netpol.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: require-network-policy
annotations:
policies.kyverno.io/title: Require NetworkPolicy
policies.kyverno.io/category: Sample
policies.kyverno.io/minversion: 1.6.0
kyverno.io/kyverno-version: 1.6.2
kyverno.io/kubernetes-version: "1.23"
policies.kyverno.io/subject: Deployment, NetworkPolicy
policies.kyverno.io/description: >-
NetworkPolicy is used to control Pod-to-Pod communication
and is a good practice to ensure only authorized Pods can send/receive
traffic. This policy checks incoming Deployments to ensure
they have a matching, preexisting NetworkPolicy.
spec:
validationFailureAction: audit
background: false
rules:
- name: require-network-policy
match:
any:
- resources:
kinds:
- Deployment
preconditions:
any:
- key: "{{request.operation || 'BACKGROUND'}}"
operator: Equals
value: CREATE
context:
- name: policies_count
apiCall:
urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)"
validate:
message: "Every Deployment requires a matching NetworkPolicy."
deny:
conditions:
any:
- key: "{{policies_count}}"
operator: LessThan
value: 1