Policy: disallow-reserved-namespaces

Disallow creation and editing of reserved namespaces
Category

Namespace Ownership

Minimum Kyverno version

v1

Subject

APPUiO Organizations

Policy types

validate

Implementation

component/namespace-policies.jsonnet

This policy will:

  • Check if the namespace name of the request matches one of the disallowed namespace patterns.

  • Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces.

If the namespace matches a disallowed pattern and the requester doesn’t have a cluster role which allows them to bypass the policy, the request is denied. The policy is applied for requests to create Namespace and ProjectRequest resources. This ensures that unprivileged users can’t use disallowed patterns regardless of whether they use oc new-project, kubectl create ns or the OpenShift web console.

The list of reserved namespace patterns is configured with component parameter reservedNamespaces.

Requesters which match an entry of component parameter bypassNamespaceRestrictions are allowed to bypass the policy.

Policy Definition

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Namespace Ownership
    policies.kyverno.io/description: 'This policy will:


      - Check if the namespace name of the request matches one of the disallowed namespace
      patterns.

      - Check if the requesting user/serviceaccount has a cluster role that allows
      them to create reserved namespaces.


      If the namespace matches a disallowed pattern and the requester doesn''t have
      a cluster role which allows them to bypass the policy, the request is denied.

      The policy is applied for requests to create `Namespace` and `ProjectRequest`
      resources.

      This ensures that unprivileged users can''t use disallowed patterns regardless
      of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web
      console.


      The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component
      parameter `reservedNamespaces`].


      Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.

      '
    policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
    policies.kyverno.io/minversion: v1
    policies.kyverno.io/subject: APPUiO Organizations
    policies.kyverno.io/title: Disallow creation and editing of reserved namespaces
  labels:
    app.kubernetes.io/component: appuio-cloud
    app.kubernetes.io/managed-by: commodore
    app.kubernetes.io/name: appuio-cloud
    name: disallow-reserved-namespaces
  name: disallow-reserved-namespaces
spec:
  background: false
  rules:
    - exclude:
        any:
          - clusterRoles:
              - cluster-admin
              - cluster-image-registry-operator
              - cluster-node-tuning-operator
              - kyverno:generatecontroller
              - kyverno:policycontroller
              - multus-admission-controller-webhook
              - openshift-dns-operator
              - openshift-ingress-operator
              - syn-admin
              - syn-argocd-application-controller
              - syn-argocd-server
              - system:controller:generic-garbage-collector
              - system:controller:operator-lifecycle-manager
              - system:master
              - system:openshift:controller:namespace-security-allocation-controller
              - system:openshift:controller:podsecurity-admission-label-syncer-controller
          - subjects:
              - kind: ServiceAccount
                name: argocd-application-controller
                namespace: argocd
              - kind: ServiceAccount
                name: namespace-openshift-config-2c8343f13594d63-manager
                namespace: syn-resource-locker
              - kind: ServiceAccount
                name: namespace-default-d6a0af6dd07e8a3-manager
                namespace: syn-resource-locker
              - kind: ServiceAccount
                name: namespace-openshift-monitoring-c4273dc15ddfdf7-manager
                namespace: syn-resource-locker
      match:
        all:
          - resources:
              kinds:
                - Namespace
                - ProjectRequest
              names:
                - appuio-*
                - cilium*
                - default
                - kube-*
                - openshift-*
                - syn-*
      name: disallow-reserved-namespaces
      validate:
        deny: {}
        message: Changing or creating reserved namespaces is not allowed.
  validationFailureAction: enforce