Protect Node Taints

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: protect-node-taints
 5  annotations:
 6    policies.kyverno.io/title: Protect Node Taints
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: Node
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      Node taints are often used as a control in multi-tenant use cases.
12      If users can alter them, they may be able to affect scheduling of
13      Pods which may impact other workloads. This sample prohibits
14      altering of node taints unless by a user holding the `cluster-admin`
15      ClusterRole. Use of this policy requires removal of the Node resource filter
16      in the Kyverno ConfigMap ([Node,*,*]). Due to Kubernetes CVE-2021-25735, this policy
17      requires, at minimum, one of the following versions of Kubernetes:
18      v1.18.18, v1.19.10, v1.20.6, or v1.21.0.
19spec:
20  validationFailureAction: Enforce
21  background: false
22  rules:
23  - name: protect-node-taints
24    match:
25      any:
26      - resources:
27          kinds:
28          - Node
29    exclude:
30      clusterRoles:
31      - cluster-admin
32    preconditions:
33      all:
34      - key: "{{request.operation || 'BACKGROUND'}}"
35        operator: Equals
36        value: UPDATE
37    validate:
38      message: "Node taints may not be altered."
39      deny:
40        conditions:
41          any:
42          - key: "{{request.object.spec.taints}}"
43            operator: NotEquals
44            value: ""
45          - key: "{{request.oldObject.spec.taints}}"
46            operator: NotEquals
47            value: "{{request.object.spec.taints}}"