All Policies
Generate Flux Multi-Tenant Resources
As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.
Policy Definition
/flux/generate-flux-multi-tenant-resources/generate-flux-multi-tenant-resources.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: generate-flux-multi-tenant-resources
5 annotations:
6 policies.kyverno.io/title: Generate Flux Multi-Tenant Resources
7 policies.kyverno.io/category: Flux
8 kyverno.io/kyverno-version: 1.6.2
9 policies.kyverno.io/minversion: 1.6.0
10 kyverno.io/kubernetes-version: "1.23"
11 policies.kyverno.io/subject: ServiceAccount, RoleBinding
12 policies.kyverno.io/description: >-
13 As part of the tenant provisioning process, Flux needs to generate RBAC resources. This policy
14 will create a ServiceAccount and RoleBinding when a new or existing Namespace is labeled
15 with `toolkit.fluxcd.io/tenant`. Use of this rule may require an additional binding for the
16 Kyverno ServiceAccount so it has permissions to properly create the RoleBinding.
17spec:
18 rules:
19 - name: generate-flux-sa
20 match:
21 any:
22 - resources:
23 kinds:
24 - Namespace
25 selector:
26 matchLabels:
27 toolkit.fluxcd.io/tenant: "?*"
28 generate:
29 apiVersion: v1
30 kind: ServiceAccount
31 name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
32 namespace: "{{request.object.metadata.name}}"
33 synchronize: false
34 data:
35 metadata:
36 labels:
37 toolkit.fluxcd.io/tenant: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
38 name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
39 namespace: "{{request.object.metadata.name}}"
40 - name: generate-flux-rolebinding
41 match:
42 any:
43 - resources:
44 kinds:
45 - Namespace
46 selector:
47 matchLabels:
48 toolkit.fluxcd.io/tenant: "?*"
49 generate:
50 apiVersion: rbac.authorization.k8s.io/v1
51 kind: RoleBinding
52 name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
53 namespace: "{{request.object.metadata.name}}"
54 synchronize: false
55 data:
56 metadata:
57 labels:
58 toolkit.fluxcd.io/tenant: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
59 name: "flux-{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
60 namespace: "{{request.object.metadata.name}}"
61 roleRef:
62 apiGroup: rbac.authorization.k8s.io
63 kind: ClusterRole
64 name: cluster-admin
65 subjects:
66 - kind: User
67 name: "flux:{{request.object.metadata.name}}:{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
68 - kind: ServiceAccount
69 name: "{{request.object.metadata.labels.\"toolkit.fluxcd.io/tenant\"}}"
70 namespace: "{{request.object.metadata.name}}"