I have put delete restrictions ( using validation webhook ) for all service accounts on a namespace , including the namespace itself , is there a way, as a cluster admin, I can delete objects from that namsepace?
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
namespaces := {"test01"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}
Or , is there a way to put the cluster admin in exception.
Update:
I figured out the usernames to put in execption but this policy although evaluates correctly in policy checker but not having status: ok in configmap status:
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}
Update:
The policy status is Ok after a while.
This policy works , given that the user-names are correct.
package kubernetes.admission
deny[msg] {
namespace := input.request.namespace
operation := input.request.operation
username := input.request.userInfo.username
namespaces := {"test01","kube-system"}
users := {"kubernetes-admin","admin"}
operations := {"CREATE","DELETE","UPDATE"}
namespaces[namespace]
operations[operation]
not users[username]
msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}