Epic Goal

• ACM must create best practice NetworkPolicy CRs for the ACM hub.
• ACM must create best practice NetworkPolicy CRs for the ACM managed cluster.
• Provide the policies either out of the box or in the policy collection community

Why is this important?

• Using network policies for kubernetes workloads is an important best practice to follow for your clusters.  Tooling exists to create the Network Policies such as ACS.  Additionally ACM Policy can apply the Network Policies and it can deploy generic NetworkPolicy resources with kyverno's generate feature as in this example: https://github.com/stolostron/policy-collection/blob/main/stable/CM-Configuration-Management/policy-kyverno-add-network-policy.yaml
•  

Scenarios

1. Tools like ACS and Compliance operator will flag ACM namespaces as not having network policies which to the customer appears like a security gap.  We should include policies to fill this gap.

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions:

• Should the policy be included in the box or with the policy community?

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>