Restrict Clusterrole for Mutating and Validating Admission Webhooks

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-clusterrole-mutating-validating-admission-webhooks
 5  annotations:
 6    policies.kyverno.io/title: Restrict Clusterrole for Mutating and Validating Admission Webhooks
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.10.7
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/subject: ClusterRole
12    policies.kyverno.io/description: >-
13      ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. This policy checks to ensure write permissions are not provided to admission webhooks.
14spec:
15  validationFailureAction: Audit
16  background: true
17  rules:
18  - name: restrict-clusterrole
19    match:
20      any:
21      - resources:
22          kinds:
23          - ClusterRole
24    validate:
25      message: "Use of verbs `create`, `update`, and `patch` are forbidden for mutating and validating admission webhooks"
26      foreach:
27      - list: "request.object.rules[]"
28        deny:
29          conditions:
30            all:
31            - key: "{{ element.apiGroups || '' }}"
32              operator: AnyIn
33              value:
34              - admissionregistration.k8s.io
35            - key: "{{ element.resources || '' }}"
36              operator: AnyIn
37              value:
38              - mutatingwebhookconfigurations
39              - validatingwebhookconfigurations
40            any:
41            - key: "{{ element.verbs }}"
42              operator: AnyIn
43              value:
44              - create
45              - update
46              - patch
47            - key: "{{ contains(element.verbs[], '*') }}"
48              operator: Equals
49              value: true