Require Unique UID per Workload

Two distinct workloads should not share a UID so that in a multitenant environment, applications from different projects never run as the same user ID. When using persistent storage, any files created by applications will also have different ownership in the file system. Running processes for applications as different user IDs means that if a security vulnerability were ever discovered in the underlying container runtime, and an application were able to break out of the container to the host, they would not be able to interact with processes owned by other users, or from other applications, in other projects.

Policy Definition

/other/require-unique-uid-per-workload/require-unique-uid-per-workload.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-unique-uid-per-workload
 5  annotations:
 6    policies.kyverno.io/title: Require Unique UID per Workload
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      Two distinct workloads should not share a UID so that in a multitenant environment, applications 
11      from different projects never run as the same user ID. When using persistent storage, 
12      any files created by applications will also have different ownership in the file system.
13      Running processes for applications as different user IDs means that if a security 
14      vulnerability were ever discovered in the underlying container runtime, and an application 
15      were able to break out of the container to the host, they would not be able to interact 
16      with processes owned by other users, or from other applications, in other projects.
17    kyverno.io/kyverno-version: 1.6.0
18    kyverno.io/kubernetes-version: "1.20"
19spec:
20  background: false
21  validationFailureAction: Audit
22  rules:
23  - name: require-unique-uid
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    context:
30      - name: uidsAllPodsExceptSameOwnerAsRequestObject
31        apiCall:
32          urlPath: "/api/v1/pods"
33          # Gets UIDs of all Pods, excluding those of pods whos ownerReference
34          # references the same owner as the policy subject (request.object)
35          # UIDs need to be strings, because the "In" operator (see below in the conditions Block) only works on lists of strings.
36          # see https://github.com/kyverno/website/blob/b08d6d8356bd46b8d55ab52324a9cfa243399b01/content/en/docs/Writing%20policies/preconditions.md?plain=1#L154
37          jmesPath: "items[?@.metadata.ownerReferences == false || metadata.ownerReferences[?uid != '{{ request.object.metadata.keys(@).contains(@, 'ownerReferences') && request.object.metadata.ownerReferences[0].uid }}']].spec.containers[].securityContext.to_string(runAsUser)"
38    preconditions:
39      all:
40      - key: "{{ request.operation || 'BACKGROUND' }}"
41        operator: Equals
42        value: CREATE
43    validate:
44      message: "Only cluster-unique UIDs are allowed"
45      deny:
46        conditions:
47        # this checks uids for ALL containers in any pod of the workload
48          all:
49          - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}"
50            operator: AnyIn
51            value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}"

Create policy issue