kyverno/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Hardening
    policies.kyverno.io/description: Restrict modification of platform owned roles
      to admins only
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Role
    policies.kyverno.io/title: Deny Modification of platform owned roles
  name: deny-modify-platform-label
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Role
    name: deny-modify-platform-role
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: AnyIn
        value:
        - UPDATE
        - DELETE
      - key: '{{ request.userInfo.groups }}'
        operator: AllNotIn
        value:
        - system:masters
    validate:
      deny: {}
      message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
        should not be modified by non-admin users.
      failureAction: Audit
chore: apply policy fixes (#8423) * chore: apply policy fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune validate Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune dryrun Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pruning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2023-09-15 16:47:51 +02:00			`---`
fix: Kyverno test ignores variables.yaml file unless context is present (#8339) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-11 23:53:34 +02:00			`apiVersion: kyverno.io/v1`
			`kind: ClusterPolicy`
			`metadata:`
			`annotations:`
			`policies.kyverno.io/category: Hardening`
chore: apply policy fixes (#8423) * chore: apply policy fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune validate Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune dryrun Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pruning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2023-09-15 16:47:51 +02:00			`policies.kyverno.io/description: Restrict modification of platform owned roles`
			`to admins only`
fix: Kyverno test ignores variables.yaml file unless context is present (#8339) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-11 23:53:34 +02:00			`policies.kyverno.io/severity: medium`
			`policies.kyverno.io/subject: Role`
chore: apply policy fixes (#8423) * chore: apply policy fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune validate Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune dryrun Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pruning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2023-09-15 16:47:51 +02:00			`policies.kyverno.io/title: Deny Modification of platform owned roles`
			`name: deny-modify-platform-label`
fix: Kyverno test ignores variables.yaml file unless context is present (#8339) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-11 23:53:34 +02:00			`spec:`
chore: apply policy fixes (#8423) * chore: apply policy fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune validate Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune dryrun Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pruning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2023-09-15 16:47:51 +02:00			`admission: true`
fix: Kyverno test ignores variables.yaml file unless context is present (#8339) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> 2023-09-11 23:53:34 +02:00			`background: false`
			`rules:`
chore: apply policy fixes (#8423) * chore: apply policy fixes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune validate Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * prune dryrun Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * pruning Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> 2023-09-15 16:47:51 +02:00			`- match:`
			`any:`
			`- resources:`
			`kinds:`
			`- Role`
			`name: deny-modify-platform-role`
			`preconditions:`
			`all:`
			`- key: '{{ request.operation }}'`
			`operator: AnyIn`
			`value:`
			`- UPDATE`
			`- DELETE`
			`- key: '{{ request.userInfo.groups }}'`
			`operator: AllNotIn`
			`value:`
			`- system:masters`
			`validate:`
			`deny: {}`
			`message: Roles owned by platform team (ones with label hpedevops.net/platform=true)`
			`should not be modified by non-admin users.`
chore: rename validationFailureAction to failureAction under the rule (#10893) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Jim Bugwadia <jim@nirmata.com> 2024-08-27 23:07:57 +03:00			`failureAction: Audit`