apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-developer-rolebinding
  annotations:
    policies.kyverno.io/title: "Генерация RoleBinding для команды"
    policies.kyverno.io/category: RBAC
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Namespace
    policies.kyverno.io/description: >-
      При создании Namespace с лейблом team: <name> автоматически создаёт
      RoleBinding, дающий группе <name>-developers права ClusterRole developer.
      Namespace с лейблом team=payments → группа payments-developers получает доступ.
spec:
  rules:
  - name: generate-team-rolebinding
    match:
      resources:
        kinds:
        - Namespace
        selector:
          matchExpressions:
          - key: team
            operator: Exists
    exclude:
      resources:
        names:
        - kube-system
        - kube-public
        - kube-node-lease
        - kyverno
    generate:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      name: developer-access
      namespace: "{{ request.object.metadata.name }}"
      synchronize: true
      data:
        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: developer-access
          labels:
            generated-by: kyverno
        roleRef:
          apiGroup: rbac.authorization.k8s.io
          kind: ClusterRole
          name: developer         # ClusterRole должна существовать
        subjects:
        - kind: Group
          name: "{{ request.object.metadata.labels.team }}-developers"
          apiGroup: rbac.authorization.k8s.io