platform/k8s/bases/infrastructure/cluster-policies/best-practices/add-default-deny.yaml at main · devantler-tech/platform · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Generates a default-deny CiliumNetworkPolicy and a DNS-allow policy
# in every namespace. This ensures zero-trust networking by default —
# workloads must explicitly allow the traffic they need.
#
# Note: standard NetworkPolicy is NOT generated alongside CiliumNetworkPolicy
# because Cilium enforces both independently — a standard default-deny would
# block traffic that CiliumNetworkPolicy explicitly allows.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-default-deny
  annotations:
    policies.kyverno.io/title: Default Deny Network Policy
    policies.kyverno.io/category: Networking, Best Practices
    policies.kyverno.io/subject: CiliumNetworkPolicy
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/description: >-
      Generates a CiliumNetworkPolicy that activates Cilium's whitelist
      mode for all endpoints in a namespace (effectively deny-all), plus
      a companion policy that allows DNS egress to kube-dns so pods can
      still resolve names.
spec:
  rules:
    - name: generate-default-deny
      match:
        any:
          - resources:
              kinds:
                - Namespace
      exclude:
        any:
          - resources:
              names:
                - kube-system
                - kube-public
                - kube-node-lease
      generate:
        generateExisting: true
        apiVersion: cilium.io/v2
        kind: CiliumNetworkPolicy
        name: default-deny
        synchronize: true
        namespace: "{{request.object.metadata.name}}"
        data:
          spec:
            endpointSelector: {}
            enableDefaultDeny:
              ingress: true
              egress: true
            ingressDeny:
              - {}
            egressDeny:
              - {}
    - name: generate-allow-dns
      match:
        any:
          - resources:
              kinds:
                - Namespace
      exclude:
        any:
          - resources:
              names:
                - kube-system
                - kube-public
                - kube-node-lease
      generate:
        generateExisting: true
        apiVersion: cilium.io/v2
        kind: CiliumNetworkPolicy
        name: allow-dns
        synchronize: true
        namespace: "{{request.object.metadata.name}}"
        data:
          spec:
            endpointSelector: {}
            egress:
              - toEndpoints:
                  - matchLabels:
                      k8s:io.kubernetes.pod.namespace: kube-system
                      k8s-app: kube-dns
                toPorts:
                  - ports:
                      - port: "53"
                        protocol: UDP
                      - port: "53"
                        protocol: TCP