All Policies

Check SubjectAccessReview

In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.

Policy Definition

/other/check-subjectaccessreview/check-subjectaccessreview.yaml

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-subjectaccessreview
 5  annotations:
 6    policies.kyverno.io/title: Check SubjectAccessReview
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: SubjectAccessReview
 9    kyverno.io/kyverno-version: 1.10.0
10    policies.kyverno.io/minversion: 1.10.0
11    kyverno.io/kubernetes-version: "1.26"
12    policies.kyverno.io/description: >-
13      In some cases a validation check for one type of resource may need to
14      take into consideration the requesting user's permissions on a different type of resource.
15      Rather than parsing through all Roles and/or ClusterRoles to check if these permissions
16      are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server
17      and have it figure out those permissions. This policy illustrates how to perform a POST
18      request to the API server to subject a SubjectAccessReview for a user creating/updating a
19      ConfigMap. It is intended to be used as a component in a more functional rule.      
20spec:
21  validationFailureAction: Audit
22  background: false
23  rules:
24  - name: check-sar
25    match:
26      any:
27      - resources:
28          kinds:
29          - ConfigMap
30    context:
31      - name: subjectaccessreview
32        apiCall:
33          urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews
34          method: POST
35          data:
36          - key: kind
37            value: SubjectAccessReview
38          - key: apiVersion
39            value: authorization.k8s.io/v1
40          - key: spec
41            value:
42              resourceAttributes:
43                resource: "namespaces"
44                namespace: "{{ request.namespace }}"
45                verb: "delete"
46                group: ""
47              user: "{{ request.userInfo.username }}"
48    validate:
49      message: "User is not authorized."
50      deny:
51        conditions:
52          any:
53          - key: "{{ subjectaccessreview.status.allowed }}"
54            operator: NotEquals
55            value:  true