All Policies

Require Requests and Limits for emptyDir

Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set. Policy will be skipped if the volume has already a sizeLimit set.

Policy Definition

/other/require-emptydir-requests-limits/require-emptydir-requests-limits.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-emptydir-requests-and-limits
 5  annotations:
 6    policies.kyverno.io/title: Require Requests and Limits for emptyDir
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.9.0
10    kyverno.io/kyverno-version: 1.11.1
11    kyverno.io/kubernetes-version: "1.27"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Pods which mount emptyDir volumes may be allowed to potentially overrun
15      the medium backing the emptyDir volume. This sample ensures that any
16      initContainers or containers mounting an emptyDir volume have
17      ephemeral-storage requests and limits set. Policy will be skipped if
18      the volume has already a sizeLimit set.
19spec:
20  background: false
21  validationFailureAction: Audit
22  rules:
23    - name: check-emptydir-requests-limits
24      match:
25        any:
26          - resources:
27              kinds:
28                - Pod
29      context:
30      - name: emptydirnames
31        variable:
32          jmesPath: request.object.spec.volumes[?contains(keys(@), 'emptyDir') && !contains(keys(emptyDir), 'sizeLimit')].name
33      preconditions:
34        all:
35          - key: "{{ request.object.spec.volumes[?contains(keys(@), 'emptyDir')] || `[]` | length(@) }}"
36            operator: GreaterThanOrEquals
37            value: 1
38          - key: "{{request.operation || 'BACKGROUND'}}"
39            operator: AnyIn
40            value:
41              - CREATE
42              - UPDATE
43      validate:
44        message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.
45        foreach:
46          - list: "request.object.spec.[initContainers, containers][]"
47            preconditions:
48              any:
49              - key: "{{ element.volumeMounts[].name }}"
50                operator: AnyIn
51                value: "{{ emptydirnames }}"
52            pattern:
53              resources:
54                requests:
55                  ephemeral-storage: "?*"
56                limits:
57                  ephemeral-storage: "?*"
Create policy issue