Disallow deprecated APIs

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-deprecated-apis
 5  annotations:
 6    policies.kyverno.io/title: Disallow deprecated APIs
 7    policies.kyverno.io/category: OpenShift
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20"
12    policies.kyverno.io/subject: ClusterRole,ClusterRoleBinding,Role,RoleBinding,RBAC
13    policies.kyverno.io/description: >-
14      OpenShift APIs are sometimes deprecated and removed after a few releases.
15      As a best practice, older API versions should be replaced with newer versions.
16      This policy validates for APIs that are deprecated or scheduled for removal.
17      Note that checking for some of these resources may require modifying the Kyverno
18      ConfigMap to remove filters.      
19spec:
20  validationFailureAction: Enforce
21  background: true
22  rules:
23  - name: check-deprecated-apis
24    match:
25      any:
26      - resources:
27          kinds:
28          - authorization.openshift.io/v1/ClusterRole
29          - authorization.openshift.io/v1/ClusterRoleBinding
30          - authorization.openshift.io/v1/Role
31          - authorization.openshift.io/v1/RoleBinding
32    validate:
33      message: >-
34        {{ request.object.apiVersion }}/{{ request.object.kind }} is deprecated.
35      deny: {}