kyverno/test/cli/test/deny-modify-platform-label/deny-modify-platform-label.yaml

---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Hardening
    policies.kyverno.io/description: Restrict modification of platform owned roles
      to admins only
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Role
    policies.kyverno.io/title: Deny Modification of platform owned roles
  name: deny-modify-platform-label
spec:
  admission: true
  background: false
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Role
    name: deny-modify-platform-role
    preconditions:
      all:
      - key: '{{ request.operation }}'
        operator: AnyIn
        value:
        - UPDATE
        - DELETE
      - key: '{{ request.userInfo.groups }}'
        operator: AllNotIn
        value:
        - system:masters
    validate:
      deny: {}
      message: Roles owned by platform team (ones with label hpedevops.net/platform=true)
        should not be modified by non-admin users.
      failureAction: Audit