# based on: https://kyverno.io/policies/best-practices/add_network_policy/
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-networkpolicy-deny-ingress
  annotations:
    policies.kyverno.io/title: Default Deny Ingress to Namespace
    policies.kyverno.io/category: Multi-Tenancy
    policies.kyverno.io/subject: NetworkPolicy
    policies.kyverno.io/description: >-
      By default, Kubernetes allows communications across all pods within a cluster. 
      Network policies and, a CNI that supports network policies, must be used to restrict 
      communications. A default NetworkPolicy should be configured for each namespace to 
      default deny all ingress and egress traffic to the pods in the namespace. Application 
      teams can then configure additional NetworkPolicy resources to allow desired traffic 
      to application pods from select sources.   
spec:
  validationFailureAction: audit
  rules:
  - name: default-deny-ingress
    match:
      any:
      - resources: 
          kinds:
          - Namespace
    # Need to create inbound policies for these namespaces 
    exclude:
      any:
      - resources:
          namespaces:
          - calico-system
          - tigera-operator
          - monitoring
    generate:
      kind: NetworkPolicy
      name: default-deny
      namespace: "{{request.object.metadata.name}}"
      synchronize: true
      data:
        spec:
          # select all pods in the namespace
          podSelector: {}
          # deny all traffic
          policyTypes: 
          - Ingress