restrict-volume-types
Description
In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.
Restricted Fields
- spec.volumes[*]
Allowed Values Every item in the spec.volumes[*] list must set one of the following fields to a non-null value:
- spec.volumes[*].configMap
- spec.volumes[*].csi
- spec.volumes[*].downwardAPI
- spec.volumes[*].emptyDir
- spec.volumes[*].ephemeral
- spec.volumes[*].persistentVolumeClaim
- spec.volumes[*].projected
- spec.volumes[*].secret
Kyverno Policy
Refer to the Nirmata curated policies - restrict-volume-types.yaml
References
Configuration Settings
The request.object.spec.volumes[]
should be one of the above mentioned volume types.
Resource Example
Below is a Deployment
resource example where one of the keys in volumes[]
is ephemeral
and it is from the allowed list of volume types.
apiVersion: apps/v1
kind: Deployment
metadata:
name: gooddeployment06
spec:
replicas: 1
selector:
matchLabels:
app: app
template:
metadata:
labels:
app: app
spec:
containers:
- name: container01
image: dummyimagename
volumeMounts:
- name: ephem
mountPath: /ephem
volumes:
- name: ephem
ephemeral:
volumeClaimTemplate:
metadata:
labels:
type: my-frontend-volume
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: "scratch-storage-class"
resources:
requests:
storage: 1Gi