chipzoller/clusterpolicy.yaml

## clusterpolicy.yaml
apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: check-subject
spec:
  validationFailureAction: Enforce
  background: false
  rules:
  - name: check-chip
    match:
      any:
      - resources:
          kinds:
          - ConfigMap
          operations:
          - UPDATE
    context:
      - name: subjectaccessreview
        apiCall:
          service:
            urlPath: https://kubernetes.default.svc.cluster.local/apis/authorization.k8s.io/v1/subjectaccessreviews
            requestType: POST
            caBundle: |-
              -----BEGIN CERTIFICATE-----
              MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
              dmVyLWNhQDE2ODEzODUyNDgwHhcNMjMwNDEzMTEyNzI4WhcNMzMwNDEwMTEyNzI4
              WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2ODEzODUyNDgwWTATBgcqhkjO
              PQIBBggqhkjOPQMBBwNCAAR7bmNmgMenoCVwAn1C1fhje6u+fu3NniYPC1IKpI8D
              gSrMrARWtWKB3LsLoBcp6cpCEeFm+B/FJuG9rRgXFBhAo0IwQDAOBgNVHQ8BAf8E
              BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnAVM3hGzBN4ZUku+dDN9
              mPCB0cIwCgYIKoZIzj0EAwIDRwAwRAIgYF0Dy5QuQpYFyHcQEVq5GJgrE9W4gAy2
              W/LgVuvZmucCIBcETS4DIw2pWAfeKRDaEOi2YsJoDpWd7lFLQBUbe4G7
              -----END CERTIFICATE-----
            data:
            - key: kind
              value: SubjectAccessReview
            - key: apiVersion
              value: authorization.k8s.io/v1
            - key: spec
              value:
                user: chip
                resourceAttributes:
                  namespace: "{{ request.namespace }}"
                  verb: get
                  resource: pods
    validate:
      message: "User is not authorized."
      deny:
        conditions:
          any:
          - key: "{{ subjectaccessreview.status.allowed }}"
            operator: NotEquals
            value:  true
	apiVersion: kyverno.io/v2beta1
	kind: ClusterPolicy
	metadata:
	name: check-subject
	spec:
	validationFailureAction: Enforce
	background: false
	rules:
	- name: check-chip
	match:
	any:
	- resources:
	kinds:
	- ConfigMap
	operations:
	- UPDATE
	context:
	- name: subjectaccessreview
	apiCall:
	service:
	urlPath: https://kubernetes.default.svc.cluster.local/apis/authorization.k8s.io/v1/subjectaccessreviews
	requestType: POST
	caBundle: \|-
	-----BEGIN CERTIFICATE-----
	MIIBdjCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
	dmVyLWNhQDE2ODEzODUyNDgwHhcNMjMwNDEzMTEyNzI4WhcNMzMwNDEwMTEyNzI4
	WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE2ODEzODUyNDgwWTATBgcqhkjO
	PQIBBggqhkjOPQMBBwNCAAR7bmNmgMenoCVwAn1C1fhje6u+fu3NniYPC1IKpI8D
	gSrMrARWtWKB3LsLoBcp6cpCEeFm+B/FJuG9rRgXFBhAo0IwQDAOBgNVHQ8BAf8E
	BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnAVM3hGzBN4ZUku+dDN9
	mPCB0cIwCgYIKoZIzj0EAwIDRwAwRAIgYF0Dy5QuQpYFyHcQEVq5GJgrE9W4gAy2
	W/LgVuvZmucCIBcETS4DIw2pWAfeKRDaEOi2YsJoDpWd7lFLQBUbe4G7
	-----END CERTIFICATE-----
	data:
	- key: kind
	value: SubjectAccessReview
	- key: apiVersion
	value: authorization.k8s.io/v1
	- key: spec
	value:
	user: chip
	resourceAttributes:
	namespace: "{{ request.namespace }}"
	verb: get
	resource: pods
	validate:
	message: "User is not authorized."
	deny:
	conditions:
	any:
	- key: "{{ subjectaccessreview.status.allowed }}"
	operator: NotEquals
	value: true