Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-security-context-constraint-anyuid
 5  annotations:
 6    policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid in CEL expressions
 7    policies.kyverno.io/category: Security in CEL 
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/subject: Role,ClusterRole,RBAC
13    policies.kyverno.io/description: >-
14      Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
15spec:
16  validationFailureAction: Enforce
17  background: true
18  rules:
19  - name: check-security-context-constraint
20    match:
21      any:
22      - resources:
23          kinds:
24          - ClusterRole
25          - Role
26          operations:
27          - CREATE
28          - UPDATE
29    validate: 
30      cel:
31        expressions:
32          - expression: "!object.?rules.orValue([]).exists(rule, 'anyuid' in rule.resourceNames && ('use' in rule.verbs || '*' in rule.verbs))"
33            message: >-
34              Use of the SecurityContextConstraint (SCC) anyuid is not allowed
35  - name: check-security-context-roleref
36    match:
37      any:
38      - resources:
39          kinds:
40          - ClusterRoleBinding
41          - RoleBinding
42          operations:
43          - CREATE
44          - UPDATE
45    validate:
46      cel:
47        expressions:
48          - expression: "object.roleRef.name != 'system:openshift:scc:anyuid'"
49            message: >-
50              Use of the SecurityContextConstraint (SCC) anyuid is not allowed