mirror of
https://github.com/gwg313/homelab-gitops.git
synced 2026-06-05 19:51:01 +00:00
60 lines
1.8 KiB
YAML
60 lines
1.8 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: generate-ns-network-baseline
|
|
annotations:
|
|
policies.kyverno.io/title: Inject Namespace Baseline CNP
|
|
policies.kyverno.io/description: Automatically provisions a local default-deny + DNS egress CNP inside new application namespaces.
|
|
argocd.argoproj.io/sync-options: Force=true,Replace=true
|
|
|
|
spec:
|
|
background: true
|
|
rules:
|
|
- name: inject-local-cnp
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Namespace
|
|
exclude:
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- default
|
|
- kube-system
|
|
- kube-public
|
|
- kube-node-lease
|
|
- argocd
|
|
- kyverno
|
|
- cilium-ingress
|
|
- cilium-secrets
|
|
- cert-manager
|
|
- sealed-secrets
|
|
- nfs-subdir-external-provisioner
|
|
- monitoring
|
|
- tekton-pipelines-resolvers
|
|
- tekton-pipelines
|
|
- pipelines-as-code
|
|
generate:
|
|
apiVersion: cilium.io/v2
|
|
kind: CiliumNetworkPolicy
|
|
name: baseline-network-security
|
|
namespace: "{{request.object.metadata.name}}"
|
|
synchronize: true
|
|
data:
|
|
spec:
|
|
endpointSelector: {}
|
|
ingress:
|
|
- {}
|
|
egress:
|
|
- toEndpoints:
|
|
- matchLabels:
|
|
k8s:io.kubernetes.pod.namespace: kube-system
|
|
k8s-app: kube-dns
|
|
toPorts:
|
|
- ports:
|
|
- port: "53"
|
|
protocol: ANY
|
|
rules:
|
|
dns:
|
|
- matchPattern: "*"
|