Some checks are pending
Pipelines as Code CI / homelab-ci CI has Started
Signed-off-by: gwg313 <gwg313@pm.me>
85 lines
2.1 KiB
YAML
85 lines
2.1 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: generate-namespace-network-baseline
|
|
annotations:
|
|
policies.kyverno.io/title: Generate Namespace Network Baseline
|
|
policies.kyverno.io/category: Network Security
|
|
policies.kyverno.io/severity: high
|
|
policies.kyverno.io/description: >-
|
|
Automatically provisions a baseline CiliumNetworkPolicy
|
|
with default deny ingress and controlled DNS egress.
|
|
argocd.argoproj.io/sync-options: Replace=true
|
|
|
|
spec:
|
|
background: true
|
|
|
|
rules:
|
|
- name: generate-baseline-cnp
|
|
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
|
|
exclude:
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- default
|
|
- kube-system
|
|
- kube-public
|
|
- kube-node-lease
|
|
- kyverno
|
|
- argocd
|
|
- cert-manager
|
|
- monitoring
|
|
- cilium-secrets
|
|
- cilium-ingress
|
|
- sealed-secrets
|
|
- tekton-pipelines
|
|
- tekton-pipelines-resolvers
|
|
- pipelines-as-code
|
|
|
|
generate:
|
|
synchronize: true
|
|
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
|
|
name: baseline-network-security
|
|
namespace: "{{ request.object.metadata.name }}"
|
|
|
|
data:
|
|
metadata:
|
|
labels:
|
|
security-tier: baseline
|
|
annotations:
|
|
argocd.argoproj.io/sync-options: Prune=false
|
|
|
|
spec:
|
|
endpointSelector: {}
|
|
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
|
|
ingress: []
|
|
|
|
egress:
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
k8s:io.kubernetes.pod.namespace: kube-system
|
|
k8s-app: kube-dns
|
|
|
|
toPorts:
|
|
- ports:
|
|
- port: "53"
|
|
protocol: UDP
|
|
- port: "53"
|
|
protocol: TCP
|
|
|
|
rules:
|
|
dns:
|
|
- matchPattern: "*"
|