All Policies

Add RoleBinding

Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.

Policy Definition

/best-practices/add-rolebinding/add-rolebinding.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-rolebinding
 5  annotations:
 6    policies.kyverno.io/title: Add RoleBinding
 7    policies.kyverno.io/category: Multi-Tenancy
 8    policies.kyverno.io/subject: RoleBinding
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Typically in multi-tenancy and other use cases, when a new Namespace is created,
12      users and other principals must be given some permissions to create and interact
13      with resources in the Namespace. Very commonly, Roles and RoleBindings are used to
14      grant permissions at the Namespace level. This policy generates a RoleBinding
15      called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole
16      `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation
17      named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible
18      for the Namespace's creation.      
19spec:
20  background: false
21  rules:
22    - name: generate-admin-binding
23      match:
24        any:
25        - resources:
26            kinds:
27              - Namespace
28      exclude:
29        any:
30        - clusterRoles:
31          - cluster-admin
32      generate:
33        synchronize: true
34        apiVersion: rbac.authorization.k8s.io/v1
35        kind: RoleBinding
36        name: "{{request.userInfo.username}}-admin-binding"
37        namespace: "{{request.object.metadata.name}}"
38        data:
39          metadata:
40            annotations:
41              kyverno.io/user: "{{request.userInfo.username}}"
42          roleRef:
43            apiGroup: rbac.authorization.k8s.io
44            kind: ClusterRole
45            name: admin
46          subjects:
47            - kind: User
48              name: "{{request.userInfo.username}}"