Namespace Protection

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: namespace-protection
 5  annotations:
 6    policies.kyverno.io/title: Namespace Protection
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Namespace
10    kyverno.io/kyverno-version: 1.9.0
11    policies.kyverno.io/minversion: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      Cases where RBAC may be applied at a higher level and where Namespace-level
15      protections may be necessary can be accomplished with a separate policy. For example,
16      one may want to protect creates, updates, and deletes on only a single Namespace. This
17      policy will block creates, updates, and deletes to any Namespace labeled with `freeze=true`.
18      Caution should be exercised when using rules which match on all kinds (`"*"`) as this will
19      involve, for larger clusters, a substantial amount of processing on Kyverno's part. Additional
20      resource requests and/or limits may be required.
21spec:
22  validationFailureAction: Enforce
23  background: false
24  rules:
25    - name: check-freeze
26      match:
27        any:
28        - resources:
29            kinds:
30            - "*"
31            namespaceSelector:
32              matchExpressions:
33                - key: freeze
34                  operator: In
35                  values:
36                  - "true"
37      validate:
38        message: "This Namespace is frozen and no modifications may be performed."
39        deny: {}