Disallow binding to self-provisioner cluster role in OpenShift

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-self-provisioner-binding
 5  annotations:
 6    policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift
 7    policies.kyverno.io/category: OpenShift
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20"
12    policies.kyverno.io/subject: ClusterRoleBinding, RBAC
13    policies.kyverno.io/description: >-
14      This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.
15spec:
16  validationFailureAction: Enforce
17  background: true
18  rules:
19  - name: check-self-provisioner-binding-no-subject
20    match:
21      any:
22      - resources:
23          kinds:
24          - ClusterRoleBinding
25    preconditions:
26      all:
27      - key: "{{request.object.metadata.name}}"
28        operator: Equals
29        value: self-provisioners
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: Equals
32        value: UPDATE
33    validate:
34      message: >-
35        Modifying the self-provisioners ClusterRoleBinding is not allowed.
36      deny: {}
37  - name: check-self-provisioner-binding-with-subject
38    match:
39      any:
40      - resources:
41          kinds:
42          - ClusterRoleBinding
43    preconditions:
44      all:
45      - key: "{{request.object.metadata.name || ''}}"
46        operator: NotEquals
47        value: self-provisioners
48    validate:
49      message: >-
50        Binding to the self-provisioners cluster role is not allowed.
51      deny:
52        conditions:
53          all:
54          - key: self-provisioner
55            operator: AnyIn
56            value: "{{request.object.roleRef.name}}"