Block cluster-admin from modifying any object in a Namespace

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-cluster-admin-from-ns
 5  annotations:
 6    policies.kyverno.io/title: Block cluster-admin from modifying any object in a Namespace
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: Namespace, ClusterRole, User 
 9    policies.kyverno.io/minversion: 1.9.0
10    policies.kyverno.io/description: >-
11      In some cases, it may be desirable to block operations of certain privileged users
12      (i.e. cluster-admins) in a specific namespace. In this policy, Kyverno will look for all user operations
13      (CREATE, UPDATE, DELETE), on every object kind, in the testnamespace namespace, and for the
14      ClusterRole cluster-admin. The user testuser is also mentioned so it won't include all the cluster-admins in
15      the cluster, but will be flexible enough to apply only for a sub-group of the cluster-admins in the cluster.
16spec:
17  validationFailureAction: Enforce
18  background: false
19  rules:
20  - name: block-cluster-admin-from-ns
21    match:
22      any:
23      - resources:
24          kinds:
25          - "*"
26          namespaces:
27          - testnamespace
28        clusterRoles:
29        - cluster-admin
30        subjects:
31        - kind: User
32          name: testuser
33    validate:
34      message: "The cluster-admin 'testuser' user cannot touch testnamespace Namespace."
35      deny:
36        conditions:
37          any:
38            - key: "{{request.operation || 'BACKGROUND'}}"
39              operator: AnyIn
40              value:
41              - CREATE
42              - UPDATE
43              - DELETE