mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-15 12:17:56 +00:00
fix: check the resource namespace (#10738)
Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com>
This commit is contained in:
parent
f618717f75
commit
734f1df059
3 changed files with 42 additions and 1 deletions
|
@ -254,7 +254,7 @@ func (p *PolicyProcessor) makePolicyContext(
|
||||||
return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
|
return nil, fmt.Errorf("failed to update old resource in json context (%w)", err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" {
|
if p.Client != nil && len(namespaceLabels) == 0 && resource.GetKind() != "Namespace" && resource.GetNamespace() != "" {
|
||||||
ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
|
ns, err := p.Client.GetResource(context.TODO(), "v1", "Namespace", "", resource.GetNamespace())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Log.Error(err, "failed to get the resource's namespace")
|
log.Log.Error(err, "failed to get the resource's namespace")
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
apiVersion: chainsaw.kyverno.io/v1alpha1
|
||||||
|
kind: Test
|
||||||
|
metadata:
|
||||||
|
creationTimestamp: null
|
||||||
|
name: apply-on-cluster-scoped-resources
|
||||||
|
spec:
|
||||||
|
steps:
|
||||||
|
- name: step-01
|
||||||
|
try:
|
||||||
|
- script:
|
||||||
|
content: kubectl create rolebinding my-rolebinding --role=my-role --user=my-user
|
||||||
|
- name: step-02
|
||||||
|
try:
|
||||||
|
- script:
|
||||||
|
content: kubectl create clusterrolebinding clusterrolebinding --clusterrole=my-clusterrole --user=my-user
|
||||||
|
- name: step-04
|
||||||
|
try:
|
||||||
|
- script:
|
||||||
|
content: kyverno apply policy.yaml --cluster
|
||||||
|
check:
|
||||||
|
($error != null): false
|
|
@ -0,0 +1,20 @@
|
||||||
|
apiVersion: kyverno.io/v1
|
||||||
|
kind: ClusterPolicy
|
||||||
|
metadata:
|
||||||
|
name: restrict-binding-system-groups
|
||||||
|
spec:
|
||||||
|
validationFailureAction: Enforce
|
||||||
|
background: true
|
||||||
|
rules:
|
||||||
|
- name: restrict-masters
|
||||||
|
match:
|
||||||
|
any:
|
||||||
|
- resources:
|
||||||
|
kinds:
|
||||||
|
- RoleBinding
|
||||||
|
- ClusterRoleBinding
|
||||||
|
validate:
|
||||||
|
message: "Binding to system:masters is not allowed."
|
||||||
|
pattern:
|
||||||
|
roleRef:
|
||||||
|
name: "!system:masters"
|
Loading…
Add table
Reference in a new issue