Require StorageClass in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-storageclass
 5  annotations:
 6    policies.kyverno.io/title: Require StorageClass in CEL expressions
 7    policies.kyverno.io/category: Other, Multi-Tenancy in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: PersistentVolumeClaim, StatefulSet
10    kyverno.io/kyverno-version: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass
14      to dynamically provision storage. In a multi-tenancy environment where StorageClasses are
15      far more common, it is often better to require storage only be provisioned from these
16      StorageClasses. This policy requires that PVCs and StatefulSets containing
17      volumeClaimTemplates define the storageClassName field with some value.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: pvc-storageclass
23    match:
24      any:
25      - resources:
26          kinds:
27          - PersistentVolumeClaim
28          operations:
29          - CREATE
30          - UPDATE
31    validate:
32      cel:
33        expressions:
34          - expression: "object.spec.?storageClassName.orValue('') != ''"
35            message: "PersistentVolumeClaims must define a storageClassName."
36  - name: ss-storageclass
37    match:
38      any:
39      - resources:
40          kinds:
41          - StatefulSet
42          operations:
43          - CREATE
44          - UPDATE
45    validate:
46      cel:
47        expressions:
48          - expression: >-
49              !has(object.spec.volumeClaimTemplates) || 
50              object.spec.volumeClaimTemplates.all(volumeClaimTemplate, 
51              volumeClaimTemplate.spec.?storageClassName.orValue('')  != '')
52            message: "StatefulSets must define a storageClassName."