NFS Subdirectory External Provisioner Enforce Storage Path

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: nfs-subdir-external-provisioner-storage-path
 5  annotations:
 6    policies.kyverno.io/title: NFS Subdirectory External Provisioner Enforce Storage Path
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: PersistentVolumeClaim
10    kyverno.io/kyverno-version: 1.6.2
11    policies.kyverno.io/minversion: 1.6.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      The NFS subdir external provisioner project allows defining a StorageClass with a pathPattern,
15      a template used to provision subdirectories on NFS exports. This can be controlled with an
16      annotation on a PVC called `nfs.io/storage-path`. This policy ensures that if the StorageClass
17      name `nfs-client` is used by a PVC, corresponding to the NFS subdir external provisioner, and if it sets the nfs.io/storage-path
18      annotation that it cannot be empty, which may otherwise result in it consuming the root of the designated path.
19spec:
20  background: false
21  validationFailureAction: Audit
22  rules:
23  - name: enforce-storage-path
24    match:
25      any:
26      - resources:
27          kinds:
28          - PersistentVolumeClaim
29    preconditions:
30      all:
31      - key: "{{request.operation || 'BACKGROUND'}}"
32        operator: AnyIn
33        value:
34        - CREATE
35        - UPDATE
36    validate:
37      message: nfs.io/storage-path annotation must not be empty.
38      pattern:
39        metadata:
40          =(annotations):
41            =(nfs.io/storage-path): "?*"
42        spec:
43          <(storageClassName): nfs-client