Block Images with Volumes

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-images-with-volumes
 5  annotations:
 6    policies.kyverno.io/title: Block Images with Volumes
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      OCI images may optionally be built with VOLUME statements which, if run
15      in read-only mode, would still result in write access to the specified location.
16      This may be unexpected and undesirable. This policy checks the contents of every
17      container image and inspects them for such VOLUME statements, then blocks if found.      
18spec:
19  validationFailureAction: Audit
20  rules:
21  - name: block-images-with-vols
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    preconditions:
28      all:
29      - key: "{{request.operation || 'BACKGROUND'}}"
30        operator: NotEquals
31        value: DELETE
32    validate:
33      message: "Images containing built-in volumes are prohibited."
34      foreach:
35      - list: "request.object.spec.containers"
36        context: 
37        - name: imageData
38          imageRegistry: 
39            reference: "{{ element.image }}"
40        deny:
41          conditions:
42            all:
43              - key: "{{ imageData.configData.config.Volumes || '' | length(@) }}"
44                operator: GreaterThan
45                value: 0