All Policies

Block Updates and Deletes

Kubernetes RBAC allows for controls on kinds of resources or those with specific names. But it does not have the type of granularity often required in more complex environments. This policy restricts updates and deletes to any Service resource that contains the label `protected=true` unless by a cluster-admin.

Policy Definition

/other/block-updates-deletes/block-updates-deletes.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-updates-deletes
 5  annotations:
 6    policies.kyverno.io/title: Block Updates and Deletes
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: RBAC
 9    policies.kyverno.io/description: >-
10      Kubernetes RBAC allows for controls on kinds of resources or those
11      with specific names. But it does not have the type of granularity often
12      required in more complex environments. This policy restricts updates and deletes to any
13      Service resource that contains the label `protected=true` unless by
14      a cluster-admin.
15spec:
16  validationFailureAction: Enforce
17  background: false
18  rules:
19  - name: block-updates-deletes
20    match:
21      any:
22      - resources:
23          kinds:
24          - Service
25          selector:
26            matchLabels:
27              protected: "true"
28    exclude:
29      any:
30      - clusterRoles:
31        - cluster-admin
32    validate:
33      message: "This resource is protected and changes are not allowed. Please seek a cluster-admin."
34      deny:
35        conditions:
36          any:
37            - key: "{{request.operation || 'BACKGROUND'}}"
38              operator: AnyIn
39              value:
40              - DELETE
41              - UPDATE
Create policy issue