Validate Team Namespace Schema

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: team-validate-ns-name
 5  annotations:
 6    policies.kyverno.io/title: Validate Team Namespace Schema
 7    policies.kyverno.io/category: OpenShift
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Namespace
13    policies.kyverno.io/description: >-
14      Naming patterns are commonplace in clusters where creation activities
15      are granted to other users. In order to maintain organization, it is often
16      such that patterns should be established for organizational consistency.
17      This policy denies the creation of a Namespace if the name of the Namespace does
18      not follow a specific naming defined by the cluster admins.
19spec:
20  validationFailureAction: Audit
21  background: false
22  rules:
23  - name: team-validate-ns-name
24    match:
25      any:
26      - resources:
27          kinds:
28            - Namespace
29            - ProjectRequest
30            - Project
31        # subjects:
32        # - kind: Group
33        #   name: "system:authenticated"
34    validate:
35      message: The only names approved for your Namespaces are the ones starting by {{request.userInfo.groups[?contains(@,':') == `false`]}}-*
36      deny:
37        conditions:
38          any:
39          - key: "{{request.object.metadata.name}}"
40            operator: AnyNotIn
41            value: "{{ request.userInfo.groups[?contains(@,':') == `false`][].join('-', [@, '*']) }}"