restrict-volume-types

Description

In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.

Restricted Fields

  • spec.volumes[*]

Allowed Values Every item in the spec.volumes[*] list must set one of the following fields to a non-null value:

  • spec.volumes[*].configMap
  • spec.volumes[*].csi
  • spec.volumes[*].downwardAPI
  • spec.volumes[*].emptyDir
  • spec.volumes[*].ephemeral
  • spec.volumes[*].persistentVolumeClaim
  • spec.volumes[*].projected
  • spec.volumes[*].secret

Kyverno Policy

Refer to the Nirmata curated policies - restrict-volume-types.yaml

References

Configuration Settings

The request.object.spec.volumes[] should be one of the above mentioned volume types.

Resource Example

Below is a Deployment resource example where one of the keys in volumes[] is ephemeral and it is from the allowed list of volume types.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment06
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        volumeMounts:
        - name: ephem
          mountPath: /ephem
      volumes:
      - name: ephem
        ephemeral:
          volumeClaimTemplate:
            metadata:
              labels:
                type: my-frontend-volume
            spec:
              accessModes: [ "ReadWriteOnce" ]
              storageClassName: "scratch-storage-class"
              resources:
                requests:
                  storage: 1Gi