Skip to content

Instantly share code, notes, and snippets.

@dims

dims/README.md

Last active August 11, 2024 21:54
Show Gist options
  • Save dims/af1ce191b3d6e420128629061a10e518 to your computer and use it in GitHub Desktop.
Save dims/af1ce191b3d6e420128629061a10e518 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Check if you have permissions to apply the yaml

kubectl auth can-i list validatingadmissionpolicies --all-namespaces
kubectl auth can-i list validatingadmissionpolicybindings --all-namespaces

Use kubectl apply to apply the yaml

Check if they got applied correctly

kubectl get validatingadmissionpolicies
kubectl get validatingadmissionpolicybindings
Raw
validating-admission-policy-and-binding.yaml
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
name: rbac-policy
annotations:
description: "Policy to enforce security constraints on RBAC bindings."
labels:
policy-type: "security"
spec:
matchConstraints:
resourceRules:
- apiGroups: ["rbac.authorization.k8s.io"]
apiVersions: ["v1"]
operations: ["CREATE", "UPDATE"]
resources: ["rolebindings", "clusterrolebindings"]
validations:
# Preventing bindings to system:anonymous or system:unauthenticated.al roles.
- expression: "!object.subjects.exists(s, (s.kind == 'User' && s.name == 'system:anonymous') || (s.kind == 'Group' && s.name == 'system:unauthenticated'))"
message: "Binding to system:anonymous or system:unauthenticated is not allowed"
# Restricting the system:public-info-viewer binding from having addition
- expression: "!(object.metadata.name == 'system:public-info-viewer' && object.subjects.size() > 0)"
message: "system:public-info-viewer cannot have additional roles"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
name: rbac-policy-binding
spec:
policyName: rbac-policy
validationActions: [Deny]
matchResources:
namespaceSelector: {}
---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment