From 8fb4d412e12f4146e6235ca735ee4db82dd54045 Mon Sep 17 00:00:00 2001 From: Chip Zoller Date: Thu, 19 Jan 2023 11:41:00 -0500 Subject: [PATCH] add namespace-protection Signed-off-by: Chip Zoller --- .../namespace-protection.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 other/namespace-protection/namespace-protection.yaml diff --git a/other/namespace-protection/namespace-protection.yaml b/other/namespace-protection/namespace-protection.yaml new file mode 100644 index 000000000..b289d92a7 --- /dev/null +++ b/other/namespace-protection/namespace-protection.yaml @@ -0,0 +1,39 @@ +apiVersion: kyverno.io/v2beta1 +kind: ClusterPolicy +metadata: + name: namespace-protection + annotations: + policies.kyverno.io/title: Namespace Protection + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Namespace + kyverno.io/kyverno-version: 1.9.0 + policies.kyverno.io/minversion: 1.9.0 + kyverno.io/kubernetes-version: "1.24" + policies.kyverno.io/description: >- + Cases where RBAC may be applied at a higher level and where Namespace-level + protections may be necessary can be accomplished with a separate policy. For example, + one may want to protect creates, updates, and deletes on only a single Namespace. This + policy will block creates, updates, and deletes to any Namespace labeled with `freeze=true`. + Caution should be exercised when using rules which match on all kinds (`"*"`) as this will + involve, for larger clusters, a substantial amount of processing on Kyverno's part. Additional + resource requests and/or limits may be required. +spec: + validationFailureAction: Enforce + background: false + rules: + - name: check-freeze + match: + any: + - resources: + kinds: + - "*" + namespaceSelector: + matchExpressions: + - key: freeze + operator: In + values: + - "true" + validate: + message: "This Namespace is frozen and no modifications may be performed." + deny: {} \ No newline at end of file