apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicy
metadata:
  name: "force-ns-prefix-for-stage-editor"
spec:
  failurePolicy: Fail
  matchConstraints:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["namespaces"]
  matchConditions:
    - name: 'only-stage-editor'
      expression: "request.userInfo.username == 'system:serviceaccount:stage-maker:stage-editor'"
  validations:
    - expression: "object.metadata.namespace.startsWith('team-')"
      message: "All namespace requests by stage-editor must start with 'team-'"
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingAdmissionPolicyBinding
metadata:
  name: "force-ns-prefix-for-stage-editor-binding"
spec:
  policyName: "force-ns-prefix-for-stage-editor"
  validationActions: [Deny]
  matchResources:
    resourceRules:
    - apiGroups:   [""]
      apiVersions: ["v1"]
      operations:  ["CREATE", "UPDATE"]
      resources:   ["namespaces"]