Back to Policies

Check SubjectAccessReview

In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: check-subjectaccessreview
  annotations:
    policies.kyverno.io/title: Check SubjectAccessReview
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: SubjectAccessReview
    kyverno.io/kyverno-version: 1.10.0
    policies.kyverno.io/minversion: 1.10.0
    kyverno.io/kubernetes-version: "1.26"
    policies.kyverno.io/description: In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: check-sar
      match:
        any:
          - resources:
              kinds:
                - ConfigMap
      context:
        - name: subjectaccessreview
          apiCall:
            urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews
            method: POST
            data:
              - key: kind
                value: SubjectAccessReview
              - key: apiVersion
                value: authorization.k8s.io/v1
              - key: spec
                value:
                  resourceAttributes:
                    resource: namespaces
                    namespace: "{{ request.namespace }}"
                    verb: delete
                    group: ""
                  user: "{{ request.userInfo.username }}"
      validate:
        message: User is not authorized.
        deny:
          conditions:
            any:
              - key: "{{ subjectaccessreview.status.allowed }}"
                operator: NotEquals
                value: true

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application