45 lines
1.3 KiB
YAML
45 lines
1.3 KiB
YAML
{{- if .Values.generateNetworkPolicy.enabled }}
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: generate-default-networkpolicy
|
|
annotations:
|
|
policies.kyverno.io/title: "Генерация NetworkPolicy по умолчанию"
|
|
policies.kyverno.io/category: Security
|
|
policies.kyverno.io/severity: high
|
|
policies.kyverno.io/version: {{ .Chart.Version }}
|
|
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
|
|
spec:
|
|
rules:
|
|
- name: generate-deny-all
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Namespace
|
|
exclude:
|
|
resources:
|
|
names:
|
|
{{- range (concat .Values.global.excludedNamespaces .Values.generateNetworkPolicy.excludedNamespaces) | uniq }}
|
|
- {{ . }}
|
|
{{- end }}
|
|
generate:
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
name: default-deny-all
|
|
namespace: "{{ "{{" }} request.object.metadata.name {{ "}}" }}"
|
|
synchronize: true
|
|
data:
|
|
kind: NetworkPolicy
|
|
apiVersion: networking.k8s.io/v1
|
|
metadata:
|
|
name: default-deny-all
|
|
labels:
|
|
generated-by: kyverno
|
|
helm-release: {{ .Release.Name }}
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
{{- end }}
|