ralvares/policy-anyuid-enforce.yaml

## policy-anyuid-enforce.yaml
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
  name: policy-anyuid-enforce
  namespace: default
  annotations:
    policy.open-cluster-management.io/categories: AC Access Control
    policy.open-cluster-management.io/controls: AC-3 Access Enforcement
    policy.open-cluster-management.io/standards: NIST SP 800-53
spec:
  disabled: false
  policy-templates:
    - objectDefinition:
        apiVersion: policy.open-cluster-management.io/v1
        kind: ConfigurationPolicy
        metadata:
          name: policy-rolebinding-anyuid-enforce
        spec:
          namespaceSelector:
            exclude:
              - kube-*
              - openshift*
              - open-management*
              - rhacs*
              - stackrox*
            include:
              - pacman
          object-templates:
            - complianceType: musthave
              objectDefinition:
                apiVersion: rbac.authorization.k8s.io/v1
                kind: RoleBinding
                metadata:
                  name: system:openshift:scc:anyuid
                roleRef:
                  name: system:openshift:scc:anyuid
                  apiGroup: rbac.authorization.k8s.io
                  kind: ClusterRole
                subjects:
                  - name: default
                    kind: ServiceAccount
          remediationAction: inform
          severity: high
  remediationAction: inform
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
  name: policy-anyuid-enforce-placement
  namespace: default
spec:
  clusterConditions:
    - status: "True"
      type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:
      - key: env
        operator: In
        values:
          - prod
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
  name: policy-anyuid-enforce-placement
  namespace: default
placementRef:
  name: policy-anyuid-enforce-placement
  apiGroup: apps.open-cluster-management.io
  kind: PlacementRule
subjects:
  - name: policy-anyuid-enforce
    apiGroup: policy.open-cluster-management.io
    kind: Policy
	apiVersion: policy.open-cluster-management.io/v1
	kind: Policy
	metadata:
	name: policy-anyuid-enforce
	namespace: default
	annotations:
	policy.open-cluster-management.io/categories: AC Access Control
	policy.open-cluster-management.io/controls: AC-3 Access Enforcement
	policy.open-cluster-management.io/standards: NIST SP 800-53
	spec:
	disabled: false
	policy-templates:
	- objectDefinition:
	apiVersion: policy.open-cluster-management.io/v1
	kind: ConfigurationPolicy
	metadata:
	name: policy-rolebinding-anyuid-enforce
	spec:
	namespaceSelector:
	exclude:
	- kube-*
	- openshift*
	- open-management*
	- rhacs*
	- stackrox*
	include:
	- pacman
	object-templates:
	- complianceType: musthave
	objectDefinition:
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: system:openshift:scc:anyuid
	roleRef:
	name: system:openshift:scc:anyuid
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	subjects:
	- name: default
	kind: ServiceAccount
	remediationAction: inform
	severity: high
	remediationAction: inform
	---
	apiVersion: apps.open-cluster-management.io/v1
	kind: PlacementRule
	metadata:
	name: policy-anyuid-enforce-placement
	namespace: default
	spec:
	clusterConditions:
	- status: "True"
	type: ManagedClusterConditionAvailable
	clusterSelector:
	matchExpressions:
	- key: env
	operator: In
	values:
	- prod
	---
	apiVersion: policy.open-cluster-management.io/v1
	kind: PlacementBinding
	metadata:
	name: policy-anyuid-enforce-placement
	namespace: default
	placementRef:
	name: policy-anyuid-enforce-placement
	apiGroup: apps.open-cluster-management.io
	kind: PlacementRule
	subjects:
	- name: policy-anyuid-enforce
	apiGroup: policy.open-cluster-management.io
	kind: Policy