All Policies

Enforce ReadWriteOncePod

Some stateful workloads with multiple replicas only allow a single Pod to write to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default in 1.27, a new setting called ReadWriteOncePod, available for CSI volumes only, allows volumes to be writable from only a single Pod. For more information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/. This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod.

Policy Definition

/other/enforce-readwriteonce-pod/enforce-readwriteonce-pod.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: readwriteonce-pod
 5  annotations:
 6    policies.kyverno.io/title: Enforce ReadWriteOncePod
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/subject: PersistentVolumeClaim
 9    policies.kyverno.io/description: >-
10      Some stateful workloads with multiple replicas only allow a single Pod to write
11      to a given volume at a time. Beginning in Kubernetes 1.22 and enabled by default
12      in 1.27, a new setting called ReadWriteOncePod, available
13      for CSI volumes only, allows volumes to be writable from only a single Pod. For more
14      information see the blog https://kubernetes.io/blog/2023/04/20/read-write-once-pod-access-mode-beta/.
15      This policy enforces that the accessModes for a PersistentVolumeClaim be set to ReadWriteOncePod.
16spec:
17  validationFailureAction: Audit
18  background: true
19  rules:
20  - name: readwrite-pvc-single-pod
21    match:
22      any:
23      - resources:
24          kinds:
25          - PersistentVolumeClaim
26    validate:
27      message: "The accessMode must be set to ReadWriteOncePod."
28      pattern:
29        spec:
30          accessModes:
31          - ReadWriteOncePod
32
33
Create policy issue