Require Requests and Limits for emptyDir in CEL expressions

Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set. Policy will be skipped if the volume has already a sizeLimit set.

Policy Definition

/other-cel/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-emptydir-requests-and-limits
 5  annotations:
 6    policies.kyverno.io/title: Require Requests and Limits for emptyDir in CEL expressions
 7    policies.kyverno.io/category: Other in CEL 
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.12.1
10    kyverno.io/kubernetes-version: "1.26-1.27"
11    policies.kyverno.io/subject: Pod
12    policies.kyverno.io/description: >-
13      Pods which mount emptyDir volumes may be allowed to potentially overrun
14      the medium backing the emptyDir volume. This sample ensures that any
15      initContainers or containers mounting an emptyDir volume have
16      ephemeral-storage requests and limits set. Policy will be skipped if
17      the volume has already a sizeLimit set.
18spec:
19  background: false
20  validationFailureAction: Audit
21  rules:
22    - name: check-emptydir-requests-limits
23      match:
24        any:
25          - resources:
26              kinds:
27                - Pod
28              operations:
29              - CREATE
30              - UPDATE
31      celPreconditions:
32        - name: "has-emptydir-volume"
33          expression: "object.spec.?volumes.orValue([]).exists(volume, has(volume.emptyDir))"
34      validate:
35        cel:
36          variables:
37            - name: containers
38              expression: "object.spec.containers + object.spec.?initContainers.orValue([])"
39            - name: emptydirnames
40              expression: >-
41                has(object.spec.volumes) ? 
42                object.spec.volumes.filter(volume, has(volume.emptyDir) && !has(volume.emptyDir.sizeLimit)).map(volume, volume.name) : []
43          expressions:
44            - expression: >-
45                variables.containers.all(container,
46                !container.?volumeMounts.orValue([]).exists(mount, mount.name in variables.emptydirnames) || 
47                container.resources.?requests[?'ephemeral-storage'].hasValue() &&
48                container.resources.?limits[?'ephemeral-storage'].hasValue())
49              message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.

Create policy issue