Disallow Default Namespace

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-default-namespace
 5  annotations:
 6    pod-policies.kyverno.io/autogen-controllers: none
 7    policies.kyverno.io/title: Disallow Default Namespace
 8    policies.kyverno.io/category: Multi-Tenancy
 9    policies.kyverno.io/severity: medium
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      Kubernetes Namespaces are an optional feature that provide a way to segment and
13      isolate cluster resources across multiple applications and users. As a best
14      practice, workloads should be isolated with Namespaces. Namespaces should be required
15      and the default (empty) Namespace should not be used. This policy validates that Pods
16      specify a Namespace name other than `default`.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21  - name: validate-namespace
22    match:
23      resources:
24        kinds:
25        - Pod
26    validate:
27      message: "Using 'default' namespace is not allowed."
28      pattern:
29        metadata:
30          namespace: "!default"
31  - name: validate-podcontroller-namespace
32    match:
33      resources:
34        kinds:
35        - DaemonSet
36        - Deployment
37        - Job
38        - StatefulSet
39    validate:
40      message: "Using 'default' namespace is not allowed for pod controllers."
41      pattern:
42        metadata:
43          namespace: "!default"