Back to Policies

Disallow binding to self-provisioner cluster role in OpenShift

This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: disallow-self-provisioner-binding
  annotations:
    policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift
    policies.kyverno.io/category: OpenShift
    policies.kyverno.io/severity: high
    kyverno.io/kyverno-version: 1.6.0
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.20"
    policies.kyverno.io/subject: ClusterRoleBinding, RBAC
    policies.kyverno.io/description: This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.
spec:
  validationFailureAction: Enforce
  background: true
  rules:
    - name: check-self-provisioner-binding-no-subject
      match:
        any:
          - resources:
              kinds:
                - ClusterRoleBinding
      preconditions:
        all:
          - key: "{{request.object.metadata.name}}"
            operator: Equals
            value: self-provisioners
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: Equals
            value: UPDATE
      validate:
        message: Modifying the self-provisioners ClusterRoleBinding is not allowed.
        deny: {}
    - name: check-self-provisioner-binding-with-subject
      match:
        any:
          - resources:
              kinds:
                - ClusterRoleBinding
      preconditions:
        all:
          - key: "{{request.object.metadata.name || ''}}"
            operator: NotEquals
            value: self-provisioners
      validate:
        message: Binding to the self-provisioners cluster role is not allowed.
        deny:
          conditions:
            all:
              - key: self-provisioner
                operator: AnyIn
                value: "{{request.object.roleRef.name}}"

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application