Back to Policies

Check SubjectAccessReview

In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: check-subjectaccessreview
  annotations:
    policies.kyverno.io/title: Check SubjectAccessReview
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: SubjectAccessReview
    kyverno.io/kyverno-version: 1.10.0
    policies.kyverno.io/minversion: 1.10.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/description: In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: check-sar
      match:
        any:
          - resources:
              kinds:
                - ConfigMap
      context:
        - name: subjectaccessreview
          apiCall:
            urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews
            method: POST
            data:
              - key: kind
                value: SubjectAccessReview
              - key: apiVersion
                value: authorization.k8s.io/v1
              - key: spec
                value:
                  resourceAttributes:
                    resource: namespaces
                    namespace: "{{ request.namespace }}"
                    verb: delete
                    group: ""
                  user: "{{ request.userInfo.username }}"
      validate:
        message: User is not authorized.
        deny:
          conditions:
            any:
              - key: "{{ subjectaccessreview.status.allowed }}"
                operator: NotEquals
                value: true

Related Policies

ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project in CEL expressions

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet