HighPR-scope Plug & play

Default-deny NetworkPolicy required when adding a namespace

If a PR introduces workloads in a namespace that lacks a default-deny NetworkPolicy, add one plus explicit allow rules.

Why this matters

A default-deny baseline limits lateral movement and unintended traffic.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

files:
- k8s/namespaces/payments.yaml
- k8s/deployments/payments-api.yaml
# (no NetworkPolicy)

Prefer

files:
- k8s/namespaces/payments.yaml
- k8s/deployments/payments-api.yaml
- k8s/networkpolicies/payments-default-deny.yaml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
 name: default-deny
 namespace: payments
spec:
 podSelector: {}
 policyTypes: ["Ingress", "Egress"]

More snippets

Good

kind: NetworkPolicy
metadata:
 name: default-deny
 namespace: payments

Bad

kind: Deployment
metadata:
 name: payments-api
 namespace: payments

Related rules

From the same buckets as this rule.

Critical
Disallow public ingress without explicit allowlist
For Ingress/Service of type LoadBalancer, require host/path allowlist and TLS; forbid 0.0.0.0/0 exposure without WAF or Auth.
infra-as-codesecurity-hardening+1
Critical
Pods must run as non-root with read-only root filesystem
Set securityContext.runAsNonRoot=true, runAsUser!=0, and readOnlyRootFilesystem=true on pods/containers.
infra-as-codesecurity-hardening+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret

Why this matters

Bad vs. good

More snippets

Related rules

Disallow public ingress without explicit allowlist

Pods must run as non-root with read-only root filesystem

Pulumi TS: secrets must use Config.requireSecret