--- title: "Restrict Volume Types" url: https://docs.nirmata.io/docs/policy-sets/podsecurity/restricted/restrict-volume-types/ --- ### Description In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. **Restricted Fields** * `spec.volumes[*]` **Allowed Values** Every item in the `spec.volumes[*]` list must set one of the following fields to a non-null value: * `spec.volumes[*].configMap` - Represents a configMap that should populate this volume. * `spec.volumes[*].csi` - Represents ephemeral storage that is handled by certain external CSI drivers. * `spec.volumes[*].downwardAPI` - Represents downward API about the pod that should populate this volume. * `spec.volumes[*].emptyDir` - Represents a temporary directory that shares a pod's lifetime. More info: [EmptyDir](https://kubernetes.io/docs/concepts/storage/volumes#emptydir). * `spec.volumes[*].ephemeral` - Represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it, it will be created before the pod starts, and deleted when the pod is removed. * `spec.volumes[*].persistentVolumeClaim` - Represents a reference to a PersistentVolumeClaim in the same namespace. More info: [PersistentVolumeClaims](https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims). * `spec.volumes[*].projected` - Represents projected items for all-in-one resources secrets, configmaps, and downward API. * `spec.volumes[*].secret` - Represents a secret that should populate this volume. More info: [Secret](https://kubernetes.io/docs/concepts/storage/volumes#secret). ### Risks This policy restricts `hostPath` volumes and other non-core volumes. A `hostPath` volume mounts a file or directory from the host node's filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications. There are some risks associated with using `hostPath` volumes: * Access to the host filesystem can expose privileged system credentials (such as for the kubelet) or privileged APIs (such as the container runtime socket), that can be used for container escape or to attack other parts of the cluster. * Pods with identical configuration (such as created from a PodTemplate) may behave differently on different nodes due to different files on the nodes. * `hostPath` volume usage is not treated as ephemeral storage usage. You need to monitor the disk usage by yourself because excessive hostPath disk usage will lead to disk pressure on the node. Also, using Non-core volume types, especially those managed by external systems or third-party plugins, can introduce vulnerabilities. For instance, Container Storage Interface (CSI) drivers might have their own security flaws ### Kyverno Policy Refer to the Nirmata curated policies - [restrict-volume-types.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml) ### References #### Configuration Settings The `request.object.spec.volumes[]` should be one of the above mentioned volume types. #### Resource Example Below is a `Deployment` resource example where one of the keys in `volumes[]` is `ephemeral` and it is from the allowed list of volume types. ```bash apiVersion: apps/v1 kind: Deployment metadata: name: gooddeployment06 spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: containers: - name: container01 image: dummyimagename volumeMounts: - name: ephem mountPath: /ephem volumes: - name: ephem ephemeral: volumeClaimTemplate: metadata: labels: type: my-frontend-volume spec: accessModes: [ "ReadWriteOnce" ] storageClassName: "scratch-storage-class" resources: requests: storage: 1Gi ```text