Feature Request: New Policy: Default Network Policy in All Namespaces except Namespaces in a given List

[Martin-Weiss]

Is your feature request related to a problem?

Kubernetes does not support a global default network policy i.e. "deny all per default". Some CNIs implement this with custom CRDs (i.e. calico) - but this is CNI and cluster specific and in mixed environments can not be standardized.

Due to that we would need a way that creates a default network policy in each namespace that gets created.

Solution you'd like

A new kubewarden policy that allows to specify a default network policy that should be created including a list of namespaces that should be ingnored.

The default should be "deny all ingress" and "allow all egress" - but should be configurable.

The default exclustions should be "kube-system" and the CNI namespaces for calico, canal and cilium.

Alternatives you've considered

CNI specific global deny policies - but in mixed environments ( AKS, on premise RKE1 / RKE2 / K3S,...) we do not have the same CNI ans versions so we need to base this on kubernetes standards.

Another thought was to use the global CNI based deny policies and filter on labels on namespaces for the whitelist.. and then use a similar thing like the PSA label policy to deploy the right labels to the right namespaces

NeuVector might also be an alternative - but we need to add an additional product in that case..

Anything else?

No response