Restrict Escalation Verbs in Roles

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-escalation-verbs-roles
 5  annotations:
 6    policies.kyverno.io/title: Restrict Escalation Verbs in Roles
 7    policies.kyverno.io/category: Security
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Role, ClusterRole, RBAC
10    kyverno.io/kyverno-version: 1.6.2
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      The verbs `impersonate`, `bind`, and `escalate` may all potentially lead to
15      privilege escalation and should be tightly controlled. This policy prevents
16      use of these verbs in Role or ClusterRole resources.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21    - name: escalate
22      match:
23        any:
24        - resources:
25            kinds:
26              - Role
27              - ClusterRole
28      validate:
29        message: "Use of verbs `escalate`, `bind`, and `impersonate` are forbidden."
30        foreach:
31        - list: "request.object.rules[]"
32          deny:
33            conditions:
34              all:
35              - key: "{{ element.apiGroups || '' }}"
36                operator: AnyIn
37                value:
38                - rbac.authorization.k8s.io
39              - key: "{{ element.resources || '' }}"
40                operator: AnyIn
41                value:
42                - clusterroles
43                - roles
44              - key: "{{ element.verbs }}"
45                operator: AnyIn
46                value:
47                - bind
48                - escalate
49                - impersonate