Create block-deletes

nirmata · Sep 5, 2024 · 72f492b · 72f492b
1 parent b502913
commit 72f492b
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/rbac-best-practices/block-deletes b/rbac-best-practices/block-deletes
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-deletes
+  annotations:
+    policies.kyverno.io/title: Block Deletes
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: RBAC
+    policies.kyverno.io/description: >-
+      Kubernetes RBAC allows for controls on kinds of resources or those
+      with specific names. This policy restricts  deletes to any
+      resource except by a cluster-admin role.      
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: block-updates-deletes
+    match:
+      any:
+      - resources:
+          kinds:
+          - "*"
+    exclude:
+      any:
+      - clusterRoles:
+        - cluster-admin
+    validate:
+      message: "This resource is protected and changes are not allowed. Please seek a cluster-admin."
+      deny:
+        conditions:
+          any:
+            - key: "{{request.operation || 'BACKGROUND'}}"
+              operator: AnyIn
+              value:
+              - DELETE
+