K8s policy to enforce specific UIDs for pods

Installation and Operations
1

Hi all,

has somebody experiences on how to (or if at all) enforce specific UIDs:GIDs for pods to be used by cluster users? I.e., beyond the general policies (how to w. admissions??) to enforce non-root IDs for pods.
Does somebody know, if a plugin or some kind of admission extensions would allow for dynamically constraining IDs for each user in a catch-all cluster? (subuid/subgid mapping being alpha and not exactly what we are looking for)

Maybe somebody has realized something like that already in Kyverno or gatekeeper (or some OCI rules)?

Cheers and thanks
Thomas

2

It is easy to enforce UID range(s) with PodSecurityPolicy but that is deprecated.
The new Pod Security Standards is not very granular, you can only enforce non-root IIUC.
So I think an admission controller such as OPA or Kyverno would be needed.

I think Openshift may have some extra functionality to lock pod UIDs to the identity of the user.