You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kubernetes does not support a global default network policy i.e. "deny all per default". Some CNIs implement this with custom CRDs (i.e. calico) - but this is CNI and cluster specific and in mixed environments can not be standardized.
Due to that we would need a way that creates a default network policy in each namespace that gets created.
Solution you'd like
A new kubewarden policy that allows to specify a default network policy that should be created including a list of namespaces that should be ingnored.
The default should be "deny all ingress" and "allow all egress" - but should be configurable.
The default exclustions should be "kube-system" and the CNI namespaces for calico, canal and cilium.
Alternatives you've considered
CNI specific global deny policies - but in mixed environments ( AKS, on premise RKE1 / RKE2 / K3S,...) we do not have the same CNI ans versions so we need to base this on kubernetes standards.
Another thought was to use the global CNI based deny policies and filter on labels on namespaces for the whitelist.. and then use a similar thing like the PSA label policy to deploy the right labels to the right namespaces
NeuVector might also be an alternative - but we need to add an additional product in that case..
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem?
Kubernetes does not support a global default network policy i.e. "deny all per default". Some CNIs implement this with custom CRDs (i.e. calico) - but this is CNI and cluster specific and in mixed environments can not be standardized.
Due to that we would need a way that creates a default network policy in each namespace that gets created.
Solution you'd like
A new kubewarden policy that allows to specify a default network policy that should be created including a list of namespaces that should be ingnored.
The default should be "deny all ingress" and "allow all egress" - but should be configurable.
The default exclustions should be "kube-system" and the CNI namespaces for calico, canal and cilium.
Alternatives you've considered
CNI specific global deny policies - but in mixed environments ( AKS, on premise RKE1 / RKE2 / K3S,...) we do not have the same CNI ans versions so we need to base this on kubernetes standards.
Another thought was to use the global CNI based deny policies and filter on labels on namespaces for the whitelist.. and then use a similar thing like the PSA label policy to deploy the right labels to the right namespaces
NeuVector might also be an alternative - but we need to add an additional product in that case..
Anything else?
No response
The text was updated successfully, but these errors were encountered: