homelab-gitops/platform/kyverno/policies/40-generate/generate-namespace-network-baseline.yaml
gwg313 e507515766
Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
add pac
Signed-off-by: gwg313 <gwg313@pm.me>
2026-06-29 21:03:51 -04:00

85 lines
2.1 KiB
YAML

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-namespace-network-baseline
annotations:
policies.kyverno.io/title: Generate Namespace Network Baseline
policies.kyverno.io/category: Network Security
policies.kyverno.io/severity: high
policies.kyverno.io/description: >-
Automatically provisions a baseline CiliumNetworkPolicy
with default deny ingress and controlled DNS egress.
argocd.argoproj.io/sync-options: Replace=true
spec:
background: true
rules:
- name: generate-baseline-cnp
match:
any:
- resources:
kinds:
- Namespace
exclude:
any:
- resources:
namespaces:
- default
- kube-system
- kube-public
- kube-node-lease
- kyverno
- argocd
- cert-manager
- monitoring
- cilium-secrets
- cilium-ingress
- sealed-secrets
- tekton-pipelines
- tekton-pipelines-resolvers
- pipelines-as-code
generate:
synchronize: true
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
name: baseline-network-security
namespace: "{{ request.object.metadata.name }}"
data:
metadata:
labels:
security-tier: baseline
annotations:
argocd.argoproj.io/sync-options: Prune=false
spec:
endpointSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
rules:
dns:
- matchPattern: "*"