Skip to content

Instantly share code, notes, and snippets.

@epk

epk/check.yaml

Created April 11, 2023 22:14
Show Gist options
  • Save epk/0e06e47ec58616077bb3e5375c7f1259 to your computer and use it in GitHub Desktop.
Save epk/0e06e47ec58616077bb3e5375c7f1259 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
check.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: validate-networkpolicy-namespace-selector
spec:
validationFailureAction: Enforce
rules:
- name: validate-networkpolicy-namespace-selector
match:
resources:
kinds:
- NetworkPolicy
validate:
message: "The namespaceSelector in NetworkPolicy must use 'kubernetes.io/metadata.name'"
anyPattern:
- spec:
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "?*"
- spec:
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: "?*"
Raw
compliant-netpol.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: compliant-network-policy
namespace: example-namespace-1
spec:
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: example-namespace-2
Raw
kyverno-test.yaml
name: validate-namespace-selector
policies:
- check.yaml
resources:
- compliant-netpol.yaml
- non-compliant-netpol.yaml
results:
- policy: validate-networkpolicy-namespace-selector
rule: validate-networkpolicy-namespace-selector
kind: NetworkPolicy
resource: compliant-network-policy
status: pass
- policy: validate-networkpolicy-namespace-selector
rule: validate-networkpolicy-namespace-selector
kind: NetworkPolicy
resource: non-compliant-network-policy
status: fail
Raw
non-compliant-netpol.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: non-compliant-network-policy
namespace: example-namespace-1
spec:
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
some-random-attribute: example-value
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment