OPA policy to allow actions based on the users groups

constraint.yml

#this is just an example, you will want to update the kinds and api groups accordingly as well as add excluded namepsaces
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: allowedgroups
metadata:
  name: must-be-memberof
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Namespace"]
  parameters:
    allowedgroups: ["testing"]

constrainttemplate.yml

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: allowedgroups
spec:
  crd:
    spec:
      names:
        kind: allowedgroups
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          type: object
          properties:
            allowedgroups:
              type: array
              items:
                type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
         package allowedgroups
         violation[{"msg": msg}] {
            allowlist := input.parameters.allowedgroups
            groups := input.review.userInfo.groups
            allowedset := {e | e := allowlist[_]}
            groupset := {e | e := groups[_]}
            intersect := allowedset & groupset
            count(intersect) <= 0
            msg := sprintf("\nDENIED. you are not part of an authorized group -- current groups: %v --- allowed: %v", [groupset,allowedset])
         }