Require NetworkPolicy

NetworkPolicy is used to control Pod-to-Pod communication and is a good practice to ensure only authorized Pods can send/receive traffic. This policy checks incoming Deployments to ensure they have a matching, preexisting NetworkPolicy.

Policy Definition

/other/require_netpol.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-network-policy
 5  annotations:
 6    policies.kyverno.io/title: Require NetworkPolicy
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.3.6
 9    policies.kyverno.io/subject: Deployment, NetworkPolicy
10    policies.kyverno.io/description: >-
11      NetworkPolicy is used to control Pod-to-Pod communication
12      and is a good practice to ensure only authorized Pods can send/receive
13      traffic. This policy checks incoming Deployments to ensure
14      they have a matching, preexisting NetworkPolicy.      
15spec:
16  validationFailureAction: audit
17  background: false
18  rules:
19  - name: require-network-policy
20    match:
21      resources:
22        kinds:
23        - Deployment
24    preconditions:
25      any:
26      - key: "{{request.operation}}"
27        operator: Equals
28        value: CREATE
29    context:
30    - name: policies_count
31      apiCall:
32        urlPath: "/apis/networking.k8s.io/v1/namespaces/{{request.namespace}}/networkpolicies"
33        jmesPath: "items[?label_match(spec.podSelector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)"
34    validate:
35      message: "Every Deployment requires a matching NetworkPolicy."
36      deny:
37        conditions:
38          any:
39          - key: "{{policies_count}}"
40            operator: LessThan
41            value: 1

Create policy issue