From 07419b1da14cbfdfb5b80d129d150c13234f107c Mon Sep 17 00:00:00 2001
From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com>
Date: Thu, 5 Sep 2024 13:02:02 -0700
Subject: [PATCH] Create block-deletes

---
 rbac-best-practices/block-deletes | 36 +++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 rbac-best-practices/block-deletes

diff --git a/rbac-best-practices/block-deletes b/rbac-best-practices/block-deletes
new file mode 100644
index 00000000..104e8694
--- /dev/null
+++ b/rbac-best-practices/block-deletes
@@ -0,0 +1,36 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: block-deletes
+  annotations:
+    policies.kyverno.io/title: Block Deletes
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/subject: RBAC
+    policies.kyverno.io/description: >-
+      Kubernetes RBAC allows for controls on kinds of resources or those
+      with specific names. This policy restricts  deletes to any
+      resource except by a cluster-admin role.      
+spec:
+  validationFailureAction: enforce
+  background: false
+  rules:
+  - name: block-updates-deletes
+    match:
+      any:
+      - resources:
+          kinds:
+          - "*"
+    exclude:
+      any:
+      - clusterRoles:
+        - cluster-admin
+    validate:
+      message: "This resource is protected and changes are not allowed. Please seek a cluster-admin."
+      deny:
+        conditions:
+          any:
+            - key: "{{request.operation || 'BACKGROUND'}}"
+              operator: AnyIn
+              value:
+              - DELETE
+              - DELETECOLLECTION