All Policies
Add RoleBinding
Typically in multi-tenancy and other use cases, when a new Namespace is created, users and other principals must be given some permissions to create and interact with resources in the Namespace. Very commonly, Roles and RoleBindings are used to grant permissions at the Namespace level. This policy generates a RoleBinding called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible for the Namespace's creation.
Policy Definition
/best-practices/add-rolebinding/add-rolebinding.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-rolebinding
5 annotations:
6 policies.kyverno.io/title: Add RoleBinding
7 policies.kyverno.io/category: Multi-Tenancy
8 policies.kyverno.io/subject: RoleBinding
9 policies.kyverno.io/minversion: 1.6.0
10 policies.kyverno.io/description: >-
11 Typically in multi-tenancy and other use cases, when a new Namespace is created,
12 users and other principals must be given some permissions to create and interact
13 with resources in the Namespace. Very commonly, Roles and RoleBindings are used to
14 grant permissions at the Namespace level. This policy generates a RoleBinding
15 called `<userName>-admin-binding` in the new Namespace which binds to the ClusterRole
16 `admin` as long as a `cluster-admin` did not create the Namespace. Additionally, an annotation
17 named `kyverno.io/user` is added to the RoleBinding recording the name of the user responsible
18 for the Namespace's creation.
19spec:
20 background: false
21 rules:
22 - name: generate-admin-binding
23 match:
24 any:
25 - resources:
26 kinds:
27 - Namespace
28 exclude:
29 any:
30 - clusterRoles:
31 - cluster-admin
32 generate:
33 synchronize: true
34 apiVersion: rbac.authorization.k8s.io/v1
35 kind: RoleBinding
36 name: "{{request.userInfo.username}}-admin-binding"
37 namespace: "{{request.object.metadata.name}}"
38 data:
39 metadata:
40 annotations:
41 kyverno.io/user: "{{request.userInfo.username}}"
42 roleRef:
43 apiGroup: rbac.authorization.k8s.io
44 kind: ClusterRole
45 name: admin
46 subjects:
47 - kind: User
48 name: "{{request.userInfo.username}}"