Back to Policies

Add emptyDir sizeLimit

When a Pod requests an emptyDir, by default it does not have a size limit which may allow it to consume excess or all of the space in the medium backing the volume. This can quickly overrun a Node and may result in a denial of service for other workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir volumes, if not present, and sets it to 100Mi.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-emptydir-sizelimit
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/title: Add emptyDir sizeLimit
    policies.kyverno.io/category: Other
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kyverno-version: 1.7.3,1.8.0-rc2
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/description: When a Pod requests an emptyDir, by default it does not have a size limit which may allow it to consume excess or all of the space in the medium backing the volume. This can quickly overrun a Node and may result in a denial of service for other workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir volumes, if not present, and sets it to 100Mi.
spec:
  rules:
    - name: mutate-emptydir
      match:
        any:
          - resources:
              kinds:
                - Pod
      mutate:
        foreach:
          - list: request.object.spec.volumes[]
            preconditions:
              all:
                - key: "{{element.keys(@)}}"
                  operator: AnyIn
                  value: emptyDir
                - key: "{{element.emptyDir.sizeLimit || ''}}"
                  operator: Equals
                  value: ""
            patchesJson6902: |-
              - path: "/spec/volumes/{{elementIndex}}/emptyDir/sizeLimit"
                op: add
                value: 100Mi

Related Policies

MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

Job