Policy: organization-in-projectrequests
Check the requesting user’s default organization for OpenShift ProjectRequests.
Category |
Namespace Ownership |
Minimum Kyverno version |
v1 |
Subject |
APPUiO Organizations |
Policy types |
|
Implementation |
This policy will check that the requesting user has the appuio.io/default-organization
annotation.
The content of the annotation isn’t validated.
Instead the policy assumes that any default organization annotations which are present on user objects are valid.
If the requesting user doesn’t have the appuio.io/default-organization
annotation, the project request is denied.
Users which match an entry of component parameter bypassNamespaceRestrictions
are allowed to bypass the policy.
Policy Definition
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Namespace Ownership
policies.kyverno.io/description: |
This policy will check that the requesting user has the `appuio.io/default-organization` annotation.
The content of the annotation isn't validated.
Instead the policy assumes that any default organization annotations which are present on user objects are valid.
If the requesting user doesn't have the `appuio.io/default-organization` annotation, the project request is denied.
Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.
policies.kyverno.io/jsonnet: component/project-policies.jsonnet
policies.kyverno.io/minversion: v1
policies.kyverno.io/subject: APPUiO Organizations
policies.kyverno.io/title: Check the requesting user's default organization for
OpenShift ProjectRequests.
labels:
app.kubernetes.io/component: appuio-cloud
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: appuio-cloud
name: organization-in-projectrequests
name: organization-in-projectrequests
spec:
background: false
rules:
- context:
- apiCall:
jmesPath: '@'
urlPath: /apis/user.openshift.io/v1/users/{{request.userInfo.username}}
name: ocpuser
exclude:
any:
- clusterRoles:
- cluster-admin
- cluster-image-registry-operator
- cluster-node-tuning-operator
- kyverno:generatecontroller
- kyverno:policycontroller
- multus-admission-controller-webhook
- openshift-dns-operator
- openshift-ingress-operator
- syn-admin
- syn-argocd-application-controller
- syn-argocd-server
- system:controller:generic-garbage-collector
- system:controller:operator-lifecycle-manager
- system:master
- system:openshift:controller:namespace-security-allocation-controller
- system:openshift:controller:podsecurity-admission-label-syncer-controller
- subjects:
- kind: ServiceAccount
name: argocd-application-controller
namespace: argocd
- kind: ServiceAccount
name: cluster-logging-operator
namespace: openshift-logging
- kind: ServiceAccount
name: olm-operator-serviceaccount
namespace: openshift-operator-lifecycle-manager
- kind: ServiceAccount
name: namespace-openshift-config-2c8343f13594d63-manager
namespace: syn-resource-locker
- kind: ServiceAccount
name: namespace-default-d6a0af6dd07e8a3-manager
namespace: syn-resource-locker
- kind: ServiceAccount
name: namespace-openshift-monitoring-c4273dc15ddfdf7-manager
namespace: syn-resource-locker
match:
all:
- resources:
kinds:
- ProjectRequest
name: user-has-default-organization
validate:
deny:
conditions:
any:
- key:
- appuio.io/default-organization
operator: AllNotIn
value: '{{ocpuser.metadata.annotations.keys(@)}}'
- key: '{{ocpuser.metadata.annotations."appuio.io/default-organization"
|| ""}}'
operator: Equals
value: ''
message: You cannot create Projects without belonging to an organization
validationFailureAction: enforce