Policy: disallow-reserved-namespaces
Disallow creation and editing of reserved namespaces
Category |
Namespace Ownership |
Minimum Kyverno version |
v1 |
Subject |
APPUiO Organizations |
Policy types |
|
Implementation |
This policy will:
-
Check if the namespace name of the request matches one of the disallowed namespace patterns.
-
Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces.
If the namespace matches a disallowed pattern and the requester doesn’t have a cluster role which allows them to bypass the policy, the request is denied.
The policy is applied for requests to create Namespace
and ProjectRequest
resources.
This ensures that unprivileged users can’t use disallowed patterns regardless of whether they use oc new-project
, kubectl create ns
or the OpenShift web console.
The list of reserved namespace patterns is configured with component parameter reservedNamespaces
.
Requesters which match an entry of component parameter bypassNamespaceRestrictions
are allowed to bypass the policy.
Policy Definition
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Namespace Ownership
policies.kyverno.io/description: |
This policy will:
- Check if the namespace name of the request matches one of the disallowed namespace patterns.
- Check if the requesting user/serviceaccount has a cluster role that allows them to create reserved namespaces.
If the namespace matches a disallowed pattern and the requester doesn't have a cluster role which allows them to bypass the policy, the request is denied.
The policy is applied for requests to create `Namespace` and `ProjectRequest` resources.
This ensures that unprivileged users can't use disallowed patterns regardless of whether they use `oc new-project`, `kubectl create ns` or the OpenShift web console.
The list of reserved namespace patterns is configured with xref:references/parameters#_reservednamespaces[component parameter `reservedNamespaces`].
Requesters which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
policies.kyverno.io/minversion: v1
policies.kyverno.io/subject: APPUiO Organizations
policies.kyverno.io/title: Disallow creation and editing of reserved namespaces
labels:
app.kubernetes.io/component: appuio-cloud
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: appuio-cloud
name: disallow-reserved-namespaces
name: disallow-reserved-namespaces
spec:
background: false
rules:
- exclude:
any:
- clusterRoles:
- cluster-admin
- cluster-image-registry-operator
- cluster-node-tuning-operator
- kyverno:generatecontroller
- kyverno:policycontroller
- multus-admission-controller-webhook
- openshift-dns-operator
- openshift-ingress-operator
- syn-admin
- syn-argocd-application-controller
- syn-argocd-server
- system:controller:generic-garbage-collector
- system:controller:operator-lifecycle-manager
- system:master
- system:openshift:controller:namespace-security-allocation-controller
- system:openshift:controller:podsecurity-admission-label-syncer-controller
- subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: cluster-logging-operator
namespace: openshift-logging
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
- kind: ServiceAccount
name: namespace-default-d6a0af6dd07e8a3-manager
namespace: syn-resource-locker
- kind: ServiceAccount
name: namespace-openshift-monitoring-c4273dc15ddfdf7-manager
namespace: syn-resource-locker
match:
all:
- resources:
kinds:
- Namespace
- ProjectRequest
names:
- appuio-*
- cilium*
- default
- kube-*
- openshift-*
- syn-*
name: disallow-reserved-namespaces
validate:
deny: {}
message: Changing or creating reserved namespaces is not allowed.
validationFailureAction: enforce