OPA rego policy to block access to kubernetes namespace

Question

I am trying to write a policy that blocks permission for specific users to a list of specific kubernetes namespaces. This is what I have so far, it works for singular user/namespace but I need one that could handle multiple users or namespaces

package kubernetes.admission
    operations = {"CREATE", "UPDATE", "DELETE"}

    deny[msg] {
        username := input.request.userInfo.username
        username == "user1"
        operations[input.request.operation]
        namespaces:= input.request.object.metadata.namespace]
        namespace == ns1
        msg := sprintf("Unauthorized: %v is not permitted to modify objects in namespace %v", [username, namespace])
    }

Answer 1

Sounds like you'll want a mapping then per user -> allowed namespaces. Here's one example of how you could do that.

package kubernetes.admission

import future.keywords.in

operations := {"CREATE", "UPDATE", "DELETE"}

user_namespaces := {
    "admin1": ["default", "kube-system"],
    "user1": ["user1-ns"],
    "user2": ["default", "user2-ns"],
}

deny[msg] {
    input.request.operation in operations

    username := input.request.userInfo.username
    namespace:= input.request.object.metadata.namespace
    
    not namespace in user_namespaces[username]

    msg := sprintf("Unauthorized: %v is not permitted to modify objects in namespace %v", [username, namespace])
}

For a "real" policy you'd probably wouldn't want to hard code the user->namespace mapping like this but provide it as part of OPA's in-memory data, but the principle is the same.