Policy: organization-projects

Ensure that all OpenShift Projects created by users have a label appuio.io/organization which isn’t empty.
Category

Namespace Ownership

Minimum Kyverno version

v1

Subject

APPUiO Organizations

Policy types

mutate

Implementation

component/namespace-policies.jsonnet

This policy will:

  • Check that each project created by a user without cluster-admin permissions has a label appuio.io/organization which isn’t empty.

  • Check that the creating user is in the organization they try to create a project for.

The user’s organization membership is checked by:

  • Reading the project’s annotation openshift.io/requester which contains the username of the user who originally requested the project.

  • Fetching all OpenShift groups

  • Reading the appuio.io/organization label of the request and finding a group with the same name

If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.

If the label appuio.io/organization is missing or empty or the user isn’t a member of the group, the request is denied.

Policy Definition

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Namespace Ownership
    policies.kyverno.io/description: |
      This policy will:

      - Check that each project created by a user without cluster-admin  permissions has a label appuio.io/organization which isn't empty.
      - Check that the creating user is in the organization they try to create a project for.

      The user's organization membership is checked by:

      - Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project.
      - Fetching all OpenShift groups
      - Reading the `appuio.io/organization` label of the request and finding a group with the same name

      If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.

      If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
    policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
    policies.kyverno.io/minversion: v1
    policies.kyverno.io/subject: APPUiO Organizations
    policies.kyverno.io/title: Ensure that all OpenShift Projects created by users
      have a label `appuio.io/organization` which isn't empty.
  labels:
    app.kubernetes.io/component: appuio-cloud
    app.kubernetes.io/managed-by: commodore
    app.kubernetes.io/name: appuio-cloud
    name: organization-projects
  name: organization-projects
spec:
  background: false
  rules:
    - context:
        - apiCall:
            jmesPath: '@'
            urlPath: /apis/user.openshift.io/v1/users/{{request.object.metadata.annotations."openshift.io/requester"}}
          name: ocpuser
      exclude: {}
      match:
        all:
          - resources:
              annotations:
                openshift.io/requester: ?*
              kinds:
                - Project
      mutate:
        patchStrategicMerge:
          metadata:
            labels:
              +(appuio.io/organization): '{{ocpuser.metadata.annotations."appuio.io/default-organization"
                || ""}}'
      name: set-default-organization
      preconditions: {}
  validationFailureAction: enforce