apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: disallow-security-context-constraint-anyuid annotations: policies.kyverno.io/title: Disallow use of the SecurityContextConstraint (SCC) anyuid policies.kyverno.io/category: Security policies.kyverno.io/severity: high kyverno.io/kyverno-version: 1.6.0 policies.kyverno.io/minversion: 1.6.0 kyverno.io/kubernetes-version: "1.20" policies.kyverno.io/subject: Role,ClusterRole policies.kyverno.io/description: >- Disallow the use of the SecurityContextConstraint (SCC) anyuid which allows a pod to run with the UID as declared in the image instead of a random UID spec: validationFailureAction: audit failurePolicy: Ignore background: false rules: - name: check-security-context-constraint match: any: - resources: kinds: - ClusterRole - Role validate: message: >- Use of the SecurityContextConstraint (SCC) anyuid is not allowed foreach: - list: request.object.rules[] deny: conditions: all: - key: anyuid operator: AnyIn value: "{{element.resourceNames[]}}" - key: "{{ element.verbs[] | contains(@, 'use') || contains(@, '*') }}" operator: Equals value: true - name: check-security-context-roleref match: any: - resources: kinds: - ClusterRoleBinding - RoleBinding validate: message: >- Use of the SecurityContextConstraint (SCC) anyuid is not allowed deny: conditions: all: - key: system:openshift:scc:anyuid operator: Equals value: "{{request.object.roleRef.name}}"