# Copyright 2018 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRestrictRoleBindings metadata: # kpt-merge: /restrict-clusteradmin-rolebindings name: restrict-clusteradmin-rolebindings annotations: # This constraint is not certified by CIS. description: "Restricts use of the cluster-admin role." spec: enforcementAction: dryrun # kpt-set: ${enforcementAction} parameters: restrictedRole: apiGroup: "rbac.authorization.k8s.io" kind: "ClusterRole" name: "cluster-admin" allowedSubjects: - apiGroup: "rbac.authorization.k8s.io" kind: "Group" name: "system:masters"