Create restrict-add-other-users-to-rolebinding

nirmata · Sep 6, 2024 · c86e288 · c86e288
1 parent b502913
commit c86e288
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/rbac-best-practices/restrict-add-other-users-to-rolebinding b/rbac-best-practices/restrict-add-other-users-to-rolebinding
@@ -0,0 +1,38 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-add-other-users-to-rolebinding
+  annotations:
+    policies.kyverno.io/title: Restrict Users from Adding other User to their Rolebinding
+    policies.kyverno.io/category: Security, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ClusterRole, Role, RBAC
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23"
+    policies.kyverno.io/description: >-
+      Restrict users from adding other users to their rolebindings.
+spec:
+  validationFailureAction: audit
+  rules:
+  - name: restrict-add-rolebinding
+    match:
+      any:
+      - resources:
+          kinds:
+            - Role
+    validate:
+      deny:
+        conditions:
+          all:
+          - key: "{{ request.object.rules[].resources[] }}"
+            operator: AnyIn
+            value: rolebindings
+          - key: "{{ request.object.rules[].verbs[] }}"
+            operator: AnyIn
+            value: 
+            - get
+            - patch
+          - key: "{{ contains(request.object.rules[].apiGroups[], '*') }}"
+            operator: Equals
+            value: true