apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
  name: dockerfile-disallow-last-user-root
  labels:
    dockerfile.tags.kyverno.io: 'dockerfile'
  annotations:
    title.policy.kyverno.io: Dockerfile last user is not allowed to be root
    description.policy.kyverno.io: This Policy ensures that last user in Dockerfile is not root.
spec:
  rules:
    - name: check-disallow-last-user-root
      assert:
        all:
        - message: "Last user root not allowed"
          check:
            ((Stages[].Commands[?Name == 'USER'][])[-1].User == 'root'): false