network-policy

Signed-off-by: gwg313 <gwg313@pm.me>

platform/kyverno/policies/cleanup-rbac.yaml

@@ -4,6 +4,8 @@ metadata:
   name: kyverno:cleanup-pods
   labels:
     rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
 rules:
   - apiGroups: [""]
     resources: ["pods"]

platform/kyverno/policies/generate-ns-network-baseline.yaml

@@ -0,0 +1,54 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: generate-ns-network-baseline
+  annotations:
+    policies.kyverno.io/title: Inject Namespace Baseline CNP
+    policies.kyverno.io/description: Automatically provisions a local default-deny + DNS egress CNP inside new application namespaces.
+spec:
+  background: true
+  rules:
+    - name: inject-local-cnp
+      match:
+        any:
+          - resources:
+              kinds:
+                - Namespace
+      exclude:
+        any:
+          - resources:
+              namespaces:
+                - default
+                - kube-system
+                - kube-public
+                - kube-node-lease
+                - argocd
+                - kyverno
+                - cilium-ingress
+                - cilium-secrets
+                - cert-manager
+                - sealed-secrets
+                - nfs-subdir-external-provisioner
+      generate:
+        apiVersion: cilium.io/v2
+        kind: CiliumNetworkPolicy
+        name: baseline-network-security
+        namespace: "{{request.object.metadata.name}}"
+        synchronize: true
+        data:
+          spec:
+            endpointSelector: {}
+            ingress:
+              - {}
+            egress:
+              - toEndpoints:
+                  - matchLabels:
+                      k8s:io.kubernetes.pod.namespace: kube-system
+                      k8s-app: kube-dns
+                toPorts:
+                  - ports:
+                      - port: "53"
+                        protocol: ANY
+                    rules:
+                      dns:
+                        - matchPattern: "*"

platform/kyverno/policies/kustomization.yaml

@@ -5,3 +5,5 @@ resources:
   - cleanup-rbac.yaml
   - purge-terminal-pods.yaml
   - disallow-latest-tag.yaml
+  - kyverno-cilium-rbac.yaml
+  - generate-ns-network-baseline.yaml

platform/kyverno/policies/kyverno-cilium-rbac.yaml

@@ -0,0 +1,52 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kyverno:generate-cilium-cnps
+  labels:
+    kyverno.io/aggregate-to-background: "true"
+    kyverno.io/aggregate-to-reports: "true"
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+rules:
+  - apiGroups:
+      - cilium.io
+    resources:
+      - ciliumnetworkpolicies
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+      - get
+      - list
+      - watch
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-cilium-cnps-background-binding
+subjects:
+  - kind: ServiceAccount
+    name: kyverno-background-controller
+    namespace: kyverno
+roleRef:
+  kind: ClusterRole
+  name: kyverno:generate-cilium-cnps
+  apiGroup: rbac.authorization.k8s.io
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kyverno:generate-cilium-cnps-admission-binding
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+subjects:
+  - kind: ServiceAccount
+    name: kyverno-admission-controller
+    namespace: kyverno
+roleRef:
+  kind: ClusterRole
+  name: kyverno:generate-cilium-cnps
+  apiGroup: rbac.authorization.k8s.io