Policy: organization-projects
Ensure that all OpenShift Projects created by users have a label appuio.io/organization
which isn’t empty.
Category |
Namespace Ownership |
Minimum Kyverno version |
v1 |
Subject |
APPUiO Organizations |
Policy types |
|
Implementation |
This policy will:
-
Check that each project created by a user without cluster-admin permissions has a label appuio.io/organization which isn’t empty.
-
Check that the creating user is in the organization they try to create a project for.
The user’s organization membership is checked by:
-
Reading the project’s annotation
openshift.io/requester
which contains the username of the user who originally requested the project. -
Fetching all OpenShift groups
-
Reading the
appuio.io/organization
label of the request and finding a group with the same name
If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.
If the label appuio.io/organization
is missing or empty or the user isn’t a member of the group, the request is denied.
Policy Definition
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Namespace Ownership
policies.kyverno.io/description: |
This policy will:
- Check that each project created by a user without cluster-admin permissions has a label appuio.io/organization which isn't empty.
- Check that the creating user is in the organization they try to create a project for.
The user's organization membership is checked by:
- Reading the project's annotation `openshift.io/requester` which contains the username of the user who originally requested the project.
- Fetching all OpenShift groups
- Reading the `appuio.io/organization` label of the request and finding a group with the same name
If a group matching the label value exists, the policy checks that the user which requested the project is a member of that group.
If the label `appuio.io/organization` is missing or empty or the user isn't a member of the group, the request is denied.
policies.kyverno.io/jsonnet: component/namespace-policies.jsonnet
policies.kyverno.io/minversion: v1
policies.kyverno.io/subject: APPUiO Organizations
policies.kyverno.io/title: Ensure that all OpenShift Projects created by users
have a label `appuio.io/organization` which isn't empty.
labels:
app.kubernetes.io/component: appuio-cloud
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: appuio-cloud
name: organization-projects
name: organization-projects
spec:
background: false
rules:
- context:
- apiCall:
jmesPath: '@'
urlPath: /apis/user.openshift.io/v1/users/{{request.object.metadata.annotations."openshift.io/requester"}}
name: ocpuser
exclude: {}
match:
all:
- resources:
annotations:
openshift.io/requester: ?*
kinds:
- Project
mutate:
patchStrategicMerge:
metadata:
labels:
+(appuio.io/organization): '{{ocpuser.metadata.annotations."appuio.io/default-organization"
|| ""}}'
name: set-default-organization
preconditions: {}
validationFailureAction: enforce