---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: airm-project-namespace-rolebinding
spec:
  background: false
  rules:
    - generate:
        apiVersion: rbac.authorization.k8s.io/v1
        data:
          roleRef:
            apiGroup: rbac.authorization.k8s.io
            kind: ClusterRole
            name: airm-project-member
          subjects:
            - apiGroup: rbac.authorization.k8s.io
              kind: Group
              name: oidc{{request.object.metadata.name}}
        kind: RoleBinding
        name: '{{request.object.metadata.name}}-member-role-binding'
        namespace: '{{request.object.metadata.name}}'
        synchronize: true
      match:
        any:
          - resources:
              kinds:
                - Namespace
              operations:
                - CREATE
      name: generate-project-namespace-rolebinding
      preconditions:
        any:
          - key: '{{request.object.metadata.labels."airm.silogen.ai/project-id" || '''' }}'
            operator: NotEquals
            value: ""