Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide an example of policy dependent on user group #729

Closed
greyarch opened this issue Mar 1, 2020 · 3 comments
Closed

Provide an example of policy dependent on user group #729

greyarch opened this issue Mar 1, 2020 · 3 comments
Assignees
Labels

Comments

@greyarch
Copy link

@greyarch greyarch commented Mar 1, 2020

I am trying to support multiple tenants on a single k8s cluster. This is based on namespace(s) per tenant. I think kyverno will be very helpful if I could match my policies to tenants using user groups. I think this is possible but cannot figure it out. Can you, please, add a sample/help for such a case?

Let's say I want to allow users belonging to a group (tenant) to be able to create namespaces, but only if the name of the namespace starts with certain string (the name of the tenant). Something like this (lacking the group matching):

apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
  name : validation-ns-name
spec :
  validationFailureAction: enforce
  rules:
    - name: check-ns-name
      match:
        resources:
          kinds:
            - Namespace
      validate:
        message: "Namespace name has to start with 'tenant1-'"    
        pattern:
          metadata:
            name: tenant1-*

This policy works beautifully, I just need to include match on user group.
Thanks for the great work!

@realshuting

This comment has been minimized.

Copy link
Collaborator

@realshuting realshuting commented Mar 2, 2020

@greyarch
To match a certain user group, you can define subjects in the match block. The subjects is the list of k8s subject object.

For example, the following policy match the resource Namespace created with group mygroup:

apiVersion : kyverno.io/v1
kind : ClusterPolicy
metadata :
  name : validation-ns-name
spec :
  validationFailureAction: enforce
  rules:
    - name: check-ns-name
      match:
        resources:
          kinds:
            - Namespace
        subjects:
        - kind: Group
          name: mygroup
      validate:
        message: "Namespace name has to start with 'tenant1-'"    
        pattern:
          metadata:
            name: tenant1-*

You can also refer to this section to further match/exclude the resources.

@greyarch

This comment has been minimized.

Copy link
Author

@greyarch greyarch commented Mar 2, 2020

Thanks you so much, @realshuting!

@realshuting

This comment has been minimized.

Copy link
Collaborator

@realshuting realshuting commented Mar 6, 2020

Closing as resolved, reopen if necessary.

@realshuting realshuting closed this Mar 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.