All Policies

Require Unique Uid Per Workload

Two distinct workloads should not share a UID so that in a multitenant environment, applications from different projects never run as the same user ID. When using persistent storage, any files created by applications will also have different ownership in the file system. Running processes for applications as different user IDs means that if a security vulnerability were ever discovered in the underlying container runtime, and an application were able to break out of the container to the host, they would not be able to interact with processes owned by other users, or from other applications, in other projects.

Policy Definition

/other/require_unique_uid_per_workload/require_unique_uid_per_workload.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-unique-uid-per-workload
 5  annotations:
 6    policies.kyverno.io/category: other
 7    policies.kyverno.io/subject: Pod
 8    policies.kyverno.io/description: >-
 9      Two distinct workloads should not share a UID so that in a multitenant environment, applications 
10      from different projects never run as the same user ID. When using persistent storage, 
11      any files created by applications will also have different ownership in the file system.
12      Running processes for applications as different user IDs means that if a security 
13      vulnerability were ever discovered in the underlying container runtime, and an application 
14      were able to break out of the container to the host, they would not be able to interact 
15      with processes owned by other users, or from other applications, in other projects.      
16    kyverno.io/kyverno-version: 1.6.0
17    kyverno.io/kubernetes-version: "1.20"
18spec:
19  background: false
20  validationFailureAction: audit
21  rules:
22  - name: require-unique-uid
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    context:
29      - name: uidsAllPodsExceptSameOwnerAsRequestObject
30        apiCall:
31          urlPath: "/api/v1/pods"
32          # Gets UIDs of all Pods, excluding those of pods whos ownerReference
33          # references the same owner as the policy subject (request.object)
34          # UIDs need to be strings, because the "In" operator (see below in the conditions Block) only works on lists of strings.
35          # see https://github.com/kyverno/website/blob/b08d6d8356bd46b8d55ab52324a9cfa243399b01/content/en/docs/Writing%20policies/preconditions.md?plain=1#L154
36          jmesPath: "items[?@.metadata.ownerReferences == false || metadata.ownerReferences[?uid != '{{ request.object.metadata.keys(@).contains(@, 'ownerReferences') && request.object.metadata.ownerReferences[0].uid }}']].spec.containers[].securityContext.to_string(runAsUser)"
37    preconditions:
38      all:
39      - key: "{{ request.operation || 'BACKGROUND' }}"
40        operator: Equals
41        value: CREATE
42    validate:
43      message: "Only cluster-unique UIDs are allowed"
44      deny:
45        conditions:
46        # this checks uids for ALL containers in any pod of the workload
47          all:
48          - key: "{{ request.object.spec.containers[].securityContext.to_string(runAsUser) }}"
49            operator: AnyIn
50            value: "{{ uidsAllPodsExceptSameOwnerAsRequestObject }}"
Create policy issue