apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "force-ns-prefix-for-stage-editor" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] resources: ["namespaces"] matchConditions: - name: 'only-stage-editor' expression: "request.userInfo.username == 'system:serviceaccount:ontime-operator:stage-editor'" validations: - expression: "object.metadata.name.startsWith('team-')" message: "All namespaces managed by stage-editor must start with 'team-'" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "force-ns-prefix-for-stage-editor-binding" spec: policyName: "force-ns-prefix-for-stage-editor" validationActions: [Deny] matchResources: resourceRules: - apiGroups: [""] apiVersions: ["v1"] operations: ["CREATE", "UPDATE"] resources: ["namespaces"] --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicy metadata: name: "force-stage-ns-prefix-for-stage-editor" spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["cloud.getontime.no"] apiVersions: ["v1"] operations: ["CREATE", "UPDATE", "DELETE"] resources: ["stages"] matchConditions: - name: 'only-stage-editor' expression: "request.userInfo.username == 'system:serviceaccount:ontime-operator:stage-editor'" validations: - expression: "object.metadata.namespace.startsWith('team-')" message: "Stages must be created in namespaces starting with 'team-'" --- apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingAdmissionPolicyBinding metadata: name: "force-stage-ns-prefix-for-stage-editor-binding" spec: policyName: "force-stage-ns-prefix-for-stage-editor" validationActions: [Deny] matchResources: resourceRules: - apiGroups: ["cloud.getontime.no"] apiVersions: ["v1"] operations: ["CREATE", "UPDATE", "DELETE"] resources: ["stages"]