Disallow use of the SecurityContextConstraint (SCC) anyuid

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-security-context-constraint-anyuid
 5  annotations:
 6    policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid
 7    policies.kyverno.io/category: Security
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20"
12    policies.kyverno.io/subject: Role,ClusterRole,RBAC
13    policies.kyverno.io/description: >-
14      Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID
15spec:
16  validationFailureAction: Enforce
17  background: true
18  rules:
19  - name: check-security-context-constraint
20    match:
21      any:
22      - resources:
23          kinds:
24          - ClusterRole
25          - Role
26    validate:
27      message: >-
28        Use of the SecurityContextConstraint (SCC) anyuid is not allowed
29      foreach:
30      - list: request.object.rules[]
31        deny:
32          conditions:
33            all:
34            - key: anyuid
35              operator: AnyIn
36              value: "{{element.resourceNames[]}}"
37            - key: "{{ element.verbs[]  | contains(@, 'use') || contains(@, '*') }}"
38              operator: Equals
39              value: true
40  - name: check-security-context-roleref
41    match:
42      any:
43      - resources:
44          kinds:
45          - ClusterRoleBinding
46          - RoleBinding
47    validate:
48      message: >-
49        Use of the SecurityContextConstraint (SCC) anyuid is not allowed
50      deny:
51        conditions:
52          all:
53          - key: system:openshift:scc:anyuid
54            operator: Equals
55            value: "{{request.object.roleRef.name}}"