All Policies

Disallow Default Namespace

Kubernetes Namespaces are an optional feature that provide a way to segment and isolate cluster resources across multiple applications and users. As a best practice, workloads should be isolated with Namespaces. Namespaces should be required and the default (empty) Namespace should not be used. This policy validates that Pods specify a Namespace name other than `default`. Rule auto-generation is disabled here due to Pod controllers need to specify the `namespace` field under the top-level `metadata` object and not at the Pod template level.

Policy Definition

/best-practices/disallow-default-namespace/disallow-default-namespace.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-default-namespace
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: none
 7    policies.kyverno.io/title: Disallow Default Namespace
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/category: Multi-Tenancy
10    policies.kyverno.io/severity: medium
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Kubernetes Namespaces are an optional feature that provide a way to segment and
14      isolate cluster resources across multiple applications and users. As a best
15      practice, workloads should be isolated with Namespaces. Namespaces should be required
16      and the default (empty) Namespace should not be used. This policy validates that Pods
17      specify a Namespace name other than `default`. Rule auto-generation is disabled here
18      due to Pod controllers need to specify the `namespace` field under the top-level `metadata`
19      object and not at the Pod template level.      
20spec:
21  validationFailureAction: audit
22  background: true
23  rules:
24  - name: validate-namespace
25    match:
26      any:
27      - resources:
28          kinds:
29          - Pod
30    validate:
31      message: "Using 'default' namespace is not allowed."
32      pattern:
33        metadata:
34          namespace: "!default"
35  - name: validate-podcontroller-namespace
36    match:
37      any:
38      - resources:
39          kinds:
40          - DaemonSet
41          - Deployment
42          - Job
43          - StatefulSet
44    validate:
45      message: "Using 'default' namespace is not allowed for pod controllers."
46      pattern:
47        metadata:
48          namespace: "!default"