pub/kyverno-2026-example
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
kyverno-2026-example/04-generation/01-configmaps-secrets/generate-developer-rolebinding.yaml
Vassiliy Yegorov 34fbdd1412 init
2026-04-08 20:22:14 +07:00

53 lines
1.7 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: generate-developer-rolebinding
annotations:
policies.kyverno.io/title: "Генерация RoleBinding для команды"
policies.kyverno.io/category: RBAC
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Namespace
policies.kyverno.io/description: >-
При создании Namespace с лейблом team: <name> автоматически создаёт
RoleBinding, дающий группе <name>-developers права ClusterRole developer.
Namespace с лейблом team=payments → группа payments-developers получает доступ.
spec:
rules:
- name: generate-team-rolebinding
match:
resources:
kinds:
- Namespace
selector:
matchExpressions:
- key: team
operator: Exists
exclude:
resources:
names:
- kube-system
- kube-public
- kube-node-lease
- kyverno
generate:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
name: developer-access
namespace: "{{ request.object.metadata.name }}"
synchronize: true
data:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: developer-access
labels:
generated-by: kyverno
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: developer # ClusterRole должна существовать
subjects:
- kind: Group
name: "{{ request.object.metadata.labels.team }}-developers"
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink