All Policies
Limit ConfigMap to ServiceAccounts for a User
This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.
Policy Definition
/other/limit-configmap-for-sa/limit-configmap-for-sa.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: limit-configmap-for-sa
5 annotations:
6 policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.6.0
10 kyverno.io/kubernetes-version: "1.20-1.23"
11 policies.kyverno.io/subject: ConfigMap, ServiceAccount
12 policies.kyverno.io/description: This policy shows how to restrict certain operations on specific ConfigMaps by ServiceAccounts.
13spec:
14 background: false
15 validationFailureAction: Audit
16 rules:
17 - name: limit-configmap-for-sa-developer
18 match:
19 any:
20 - resources:
21 kinds:
22 - ConfigMap
23 # subjects:
24 # - kind: ServiceAccount
25 # name: developer
26 # namespace: kube-system
27 - resources:
28 kinds:
29 - ConfigMap
30 subjects:
31 - kind: ServiceAccount
32 name: another-developer
33 namespace: another-namespace
34 preconditions:
35 all:
36 - key: "{{request.object.metadata.namespace}}"
37 operator: AnyIn
38 value:
39 - "any-namespace"
40 - "another-namespace"
41 - key: "{{request.object.metadata.name}}"
42 operator: AnyIn
43 value:
44 - "any-configmap-name-good"
45 - "another-configmap-name"
46 validate:
47 message: "{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}} resource is protected. Admin or allowed users can change the resource"
48 deny:
49 conditions:
50 all:
51 - key: "{{request.operation || 'BACKGROUND'}}"
52 operator: AnyIn
53 value:
54 - UPDATE
55 - CREATE