This repository contains policies and configurations to ensure that namespaces in Kubernetes clusters have NetworkPolicies that restrict pod communication to the same namespace.
azure-policies/: Azure Policy definitions for auditing AKS clustersnetwork-policies/: Kubernetes resources for network policy enforcementgatekeeper/: Gatekeeper templates and constraintstemplates/: NetworkPolicy templatescluster-policy/: Kustomize configuration to apply NetworkPolicies
-
Install Gatekeeper in your cluster:
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.9/deploy/gatekeeper.yaml
-
Install the GitOps infrastructure (e.g., Flux or ArgoCD)
- For Flux:
flux bootstrap github \ --owner=<GITHUB_USER> \ --repository=gitops-azure-policy \ --branch=main \ --path=./clusters/my-cluster \ --personal
- For ArgoCD:
kubectl create namespace argocd kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
Add the following definitions for your GitOps tool to sync Gatekeeper components and NetworkPolicies:
# For Flux
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: network-policies
namespace: flux-system
spec:
interval: 10m0s
path: ./network-policies
prune: true
sourceRef:
kind: GitRepository
name: gitops-flux-source- Create a custom policy definition in Azure Policy using the
azure-policies/require-same-namespace-networkpolicy.jsonfile - Assign the policy to your subscriptions or management groups containing AKS clusters
- Developers create new namespaces
- Azure Policy audits that namespaces have an appropriate NetworkPolicy
- The GitOps tool automatically applies default NetworkPolicies to all namespaces
- Gatekeeper validates new namespaces in real-time to ensure compliance
- Modify the NetworkPolicy template in
network-policies/templates/default-networkpolicy.yamlaccording to your specific requirements - Update namespace exclusions in the policy definition and Gatekeeper constraints