Back to Policies

Check SubjectAccessReview

In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: check-subjectaccessreview
  annotations:
    policies.kyverno.io/title: Check SubjectAccessReview
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: SubjectAccessReview
    kyverno.io/kyverno-version: 1.10.0
    policies.kyverno.io/minversion: 1.10.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/description: In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: check-sar
      match:
        any:
          - resources:
              kinds:
                - ConfigMap
      context:
        - name: subjectaccessreview
          apiCall:
            urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews
            method: POST
            data:
              - key: kind
                value: SubjectAccessReview
              - key: apiVersion
                value: authorization.k8s.io/v1
              - key: spec
                value:
                  resourceAttributes:
                    resource: namespaces
                    namespace: "{{ request.namespace }}"
                    verb: delete
                    group: ""
                  user: "{{ request.userInfo.username }}"
      validate:
        message: User is not authorized.
        deny:
          conditions:
            any:
              - key: "{{ subjectaccessreview.status.allowed }}"
                operator: NotEquals
                value: true

Related Policies

ValidateMedium

Application Field Validation in CEL expressions

This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.

Application
ValidateMedium

Prevent Use of Default Project in CEL expressions

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project in CEL expressions

This policy prevents updates to the project field after an Application is created.

Application