apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: allow-namespace-traffic
  annotations:
    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
    policies.kyverno.io/subject: Namespace, NetworkPolicy
    kyverno.io/kyverno-version: 1.7.0
    policies.kyverno.io/minversion: 1.7.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: >-
      Allow all ingress/egress traffic within a namespace.
      Allow egress to any pods in the cluster
      Allow DNS with layer 7 inspection
spec:
  generateExistingOnPolicyUpdate: true
  rules:
  - name: allow-namespace-traffic
    match:
      any:
      - resources:
          kinds:
          - Namespace
    generate:
      synchronize: true
      apiVersion: cilium.io/v2
      kind: CiliumNetworkPolicy
      name: allow-namespace-traffic
      namespace: "{{request.object.metadata.name}}"
      data:
        metadata:
          labels:
            created-by: kyverno
        spec:
          endpointSelector: {}
          description: "Allow all traffic within a namespace, allow dns, allow egress to all entities in cluster"
          ingress:
            - fromEndpoints:
                - {}
            - fromEndpoints:
              - matchExpressions:
                - key: io.kubernetes.pod.namespace
                  operator: Exists
          egress:
            - toEndpoints:
              - matchExpressions:
                - key: io.kubernetes.pod.namespace
                  operator: Exists
              #authentication:
              #  mode: "required"
            - toEndpoints:
                - matchLabels:
                    io.kubernetes.pod.namespace: kube-system
                    k8s-app: kube-dns
              toPorts:
                - ports:
                    - port: "53"
                      protocol: UDP
                  rules:
                    dns:
                      - matchPattern: "*"
              #authentication:
              #  mode: "required"