Disallow binding to self-provisioner cluster role in OpenShift

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: disallow-self-provisioner-binding
 5  annotations:
 6    policies.kyverno.io/title: Disallow binding to self-provisioner cluster role in OpenShift
 7    policies.kyverno.io/category: OpenShift
 8    policies.kyverno.io/severity: high
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.20"
12    policies.kyverno.io/subject: ClusterRoleBinding, RBAC
13    policies.kyverno.io/description: >-
14            This policy prevents binding to the self-provisioners role for strict control of OpenShift project creation.
15spec:
16  validationFailureAction: enforce
17  background: true
18  rules:
19  - name: check-self-provisioner-binding-no-subject
20    match:
21      any:
22      - resources:
23          kinds:
24          - ClusterRoleBinding
25    preconditions:
26      all:
27      - key: "{{request.object.metadata.name}}"
28        operator: Equals
29        value: self-provisioners
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: Equals
32        value: UPDATE
33    validate:
34      message: >-
35                Binding to the self-provisioners cluster role is not allowed.
36      pattern:
37        =(subjects): {}
38  - name: check-self-provisioner-binding-with-subject
39    match:
40      any:
41      - resources:
42          kinds:
43          - ClusterRoleBinding
44    preconditions:
45      all:
46      - key: "{{request.object.metadata.name || ''}}"
47        operator: NotEquals
48        value: self-provisioners
49    validate:
50      message: >-
51                Binding to the self-provisioners cluster role is not allowed.
52      deny:
53        conditions:
54          all:
55          - key: self-provisioner
56            operator: AnyIn
57            value: "{{request.object.roleRef.name}}"