apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "force-ns-prefix-for-stage-editor"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["namespaces"]
  matchConditions:
    - name: 'only-stage-editor'
      expression: "request.userInfo.username == 'system:serviceaccount:ontime-operator:stage-editor'"
  validations:
    - expression: "object.metadata.name.startsWith('team-')"
      message: "All namespaces managed by stage-editor must start with 'team-'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "force-ns-prefix-for-stage-editor-binding"
spec:
  policyName: "force-ns-prefix-for-stage-editor"
  validationActions: [Deny]
  matchResources:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["namespaces"]
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "force-ns-prefix-for-stage-create-update"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["cloud.getontime.no"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["stages"]
  matchConditions:
    - name: 'only-stage-editor'
      expression: "request.userInfo.username == 'system:serviceaccount:ontime-operator:stage-editor'"
  validations:
    - expression: "object.metadata.namespace.startsWith('team-')"
      message: "Stages must be managed in namespaces starting with 'team-'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "force-ns-prefix-for-stage-create-update-binding"
spec:
  policyName: "force-ns-prefix-for-stage-create-update"
  validationActions: [Deny]
  matchResources:
    resourceRules:
    - apiGroups:   ["cloud.getontime.no"]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["stages"]
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "force-ns-prefix-for-stage-editor-delete"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   ["cloud.getontime.no"]
      apiVersions: ["v1"]
      operations:  ["DELETE"]
      resources:   ["stages"]
  matchConditions:
    - name: 'only-stage-editor'
      expression: "request.userInfo.username == 'system:serviceaccount:ontime-operator:stage-editor'"
  validations:
    - expression: "request.namespace.startsWith('team-')"
      message: "Stages must be managed in namespaces starting with 'team-'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "force-ns-prefix-for-stage-editor-delete-binding"
spec:
  policyName: "force-ns-prefix-for-stage-editor-delete"
  validationActions: [Deny]
  matchResources:
    resourceRules:
    - apiGroups:   ["cloud.getontime.no"]
      apiVersions: ["v1"]
      operations:  ["DELETE"]
      resources:   ["stages"]