All Policies
Add emptyDir sizeLimit
When a Pod requests an emptyDir, by default it does not have a size limit which may allow it to consume excess or all of the space in the medium backing the volume. This can quickly overrun a Node and may result in a denial of service for other workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir volumes, if not present, and sets it to 100Mi.
Policy Definition
/other/add-emptydir-sizelimit/add-emptydir-sizelimit.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-emptydir-sizelimit
5 annotations:
6 pod-policies.kyverno.io/autogen-controllers: none
7 policies.kyverno.io/title: Add emptyDir sizeLimit
8 policies.kyverno.io/category: Other
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/minversion: 1.6.0
11 kyverno.io/kyverno-version: 1.7.3,1.8.0-rc2
12 kyverno.io/kubernetes-version: "1.24"
13 policies.kyverno.io/description: >-
14 When a Pod requests an emptyDir, by default it does not have a size limit which
15 may allow it to consume excess or all of the space in the medium backing the volume.
16 This can quickly overrun a Node and may result in a denial of service for other
17 workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir
18 volumes, if not present, and sets it to 100Mi.
19spec:
20 rules:
21 - name: mutate-emptydir
22 match:
23 any:
24 - resources:
25 kinds:
26 - Pod
27 mutate:
28 foreach:
29 - list: "request.object.spec.volumes[]"
30 preconditions:
31 all:
32 - key: "{{element.keys(@)}}"
33 operator: AnyIn
34 value: emptyDir
35 - key: "{{element.emptyDir.sizeLimit || ''}}"
36 operator: Equals
37 value: ''
38 patchesJson6902: |-
39 - path: "/spec/volumes/{{elementIndex}}/emptyDir/sizeLimit"
40 op: add
41 value: 100Mi