Policy: organization-in-projectrequests

Check the requesting user’s default organization for OpenShift ProjectRequests.
Category

Namespace Ownership

Minimum Kyverno version

v1

Subject

APPUiO Organizations

Policy types

validate

Implementation

component/project-policies.jsonnet

This policy will check that the requesting user has the appuio.io/default-organization annotation. The content of the annotation isn’t validated. Instead the policy assumes that any default organization annotations which are present on user objects are valid.

If the requesting user doesn’t have the appuio.io/default-organization annotation, the project request is denied.

Users which match an entry of component parameter bypassNamespaceRestrictions are allowed to bypass the policy.

Policy Definition

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Namespace Ownership
    policies.kyverno.io/description: 'This policy will check that the requesting user
      has the `appuio.io/default-organization` annotation.

      The content of the annotation isn''t validated.

      Instead the policy assumes that any default organization annotations which are
      present on user objects are valid.


      If the requesting user doesn''t have the `appuio.io/default-organization` annotation,
      the project request is denied.


      Users which match an entry of xref:references/parameters#_bypassnamespacerestrictions[component
      parameter `bypassNamespaceRestrictions`] are allowed to bypass the policy.

      '
    policies.kyverno.io/jsonnet: component/project-policies.jsonnet
    policies.kyverno.io/minversion: v1
    policies.kyverno.io/subject: APPUiO Organizations
    policies.kyverno.io/title: Check the requesting user's default organization for
      OpenShift ProjectRequests.
  labels:
    app.kubernetes.io/component: appuio-cloud
    app.kubernetes.io/managed-by: commodore
    app.kubernetes.io/name: appuio-cloud
    name: organization-in-projectrequests
  name: organization-in-projectrequests
spec:
  background: false
  rules:
    - context:
        - apiCall:
            jmesPath: '@'
            urlPath: /apis/user.openshift.io/v1/users/{{request.userInfo.username}}
          name: ocpuser
      exclude:
        any:
          - clusterRoles:
              - cluster-admin
              - cluster-image-registry-operator
              - cluster-node-tuning-operator
              - kyverno:generatecontroller
              - kyverno:policycontroller
              - multus-admission-controller-webhook
              - openshift-dns-operator
              - openshift-ingress-operator
              - syn-admin
              - syn-argocd-application-controller
              - syn-argocd-server
              - system:controller:generic-garbage-collector
              - system:controller:operator-lifecycle-manager
              - system:master
              - system:openshift:controller:namespace-security-allocation-controller
              - system:openshift:controller:podsecurity-admission-label-syncer-controller
          - subjects:
              - kind: ServiceAccount
                name: argocd-application-controller
                namespace: argocd
              - kind: ServiceAccount
                name: namespace-openshift-config-2c8343f13594d63-manager
                namespace: syn-resource-locker
              - kind: ServiceAccount
                name: namespace-default-d6a0af6dd07e8a3-manager
                namespace: syn-resource-locker
              - kind: ServiceAccount
                name: namespace-openshift-monitoring-c4273dc15ddfdf7-manager
                namespace: syn-resource-locker
      match:
        all:
          - resources:
              kinds:
                - ProjectRequest
      name: user-has-default-organization
      validate:
        deny:
          conditions:
            any:
              - key:
                  - appuio.io/default-organization
                operator: AllNotIn
                value: '{{ocpuser.metadata.annotations.keys(@)}}'
              - key: '{{ocpuser.metadata.annotations."appuio.io/default-organization"
                  || ""}}'
                operator: Equals
                value: ''
        message: You cannot create Projects without belonging to an organization
  validationFailureAction: enforce