All Policies
Check SubjectAccessReview
In some cases a validation check for one type of resource may need to take into consideration the requesting user's permissions on a different type of resource. Rather than parsing through all Roles and/or ClusterRoles to check if these permissions are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server and have it figure out those permissions. This policy illustrates how to perform a POST request to the API server to subject a SubjectAccessReview for a user creating/updating a ConfigMap. It is intended to be used as a component in a more functional rule.
Policy Definition
/other/check-subjectaccessreview/check-subjectaccessreview.yaml
1apiVersion: kyverno.io/v2beta1
2kind: ClusterPolicy
3metadata:
4 name: check-subjectaccessreview
5 annotations:
6 policies.kyverno.io/title: Check SubjectAccessReview
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/subject: SubjectAccessReview
9 kyverno.io/kyverno-version: 1.10.0
10 policies.kyverno.io/minversion: 1.10.0
11 kyverno.io/kubernetes-version: "1.26"
12 policies.kyverno.io/description: >-
13 In some cases a validation check for one type of resource may need to
14 take into consideration the requesting user's permissions on a different type of resource.
15 Rather than parsing through all Roles and/or ClusterRoles to check if these permissions
16 are held, Kyverno can perform a SubjectAccessReview request to the Kubernetes API server
17 and have it figure out those permissions. This policy illustrates how to perform a POST
18 request to the API server to subject a SubjectAccessReview for a user creating/updating a
19 ConfigMap. It is intended to be used as a component in a more functional rule.
20spec:
21 validationFailureAction: Audit
22 background: false
23 rules:
24 - name: check-sar
25 match:
26 any:
27 - resources:
28 kinds:
29 - ConfigMap
30 context:
31 - name: subjectaccessreview
32 apiCall:
33 urlPath: /apis/authorization.k8s.io/v1/subjectaccessreviews
34 method: POST
35 data:
36 - key: kind
37 value: SubjectAccessReview
38 - key: apiVersion
39 value: authorization.k8s.io/v1
40 - key: spec
41 value:
42 resourceAttributes:
43 resource: "namespaces"
44 namespace: "{{ request.namespace }}"
45 verb: "delete"
46 group: ""
47 user: "{{ request.userInfo.username }}"
48 validate:
49 message: "User is not authorized."
50 deny:
51 conditions:
52 any:
53 - key: "{{ subjectaccessreview.status.allowed }}"
54 operator: NotEquals
55 value: true