Restrict Volume Types
In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.
Policy Definition
/pod-security/restricted/restrict-volume-types.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-volume-types
annotations:
policies.kyverno.io/category: Pod Security Standards (Restricted)
policies.kyverno.io/description: >-
In addition to restricting HostPath volumes, the restricted pod security profile
limits usage of non-core volume types to those defined through PersistentVolumes.
spec:
background: true
validationFailureAction: audit
rules:
- name: restricted-vol-gcePersistentDisk
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the gcePersistentDisk type volume is disallowed.
The fields spec.volumes[*].gcePersistentDisk must not be set.
pattern:
spec:
=(volumes):
- X(gcePersistentDisk): "null"
- name: restricted-vol-awsElasticBlockStore
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the awsElasticBlockStore type volume is disallowed.
The fields spec.volumes[*].awsElasticBlockStore must not be set.
pattern:
spec:
=(volumes):
- X(awsElasticBlockStore): "null"
- name: restricted-vol-gitRepo
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the gitRepo type volume is disallowed.
The fields spec.volumes[*].gitRepo must not be set.
pattern:
spec:
=(volumes):
- X(gitRepo): "null"
- name: restricted-vol-nfs
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the nfs type volume is disallowed.
The fields spec.volumes[*].nfs must not be set.
pattern:
spec:
=(volumes):
- X(nfs): "null"
- name: restricted-vol-iscsi
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the iscsi type volume is disallowed.
The fields spec.volumes[*].iscsi must not be set.
pattern:
spec:
=(volumes):
- X(iscsi): "null"
- name: restricted-vol-glusterfs
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the glusterfs type volume is disallowed.
The fields spec.volumes[*].glusterfs must not be set.
pattern:
spec:
=(volumes):
- X(glusterfs): "null"
- name: restricted-vol-rbd
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the rbd type volume is disallowed.
The fields spec.volumes[*].rbd must not be set.
pattern:
spec:
=(volumes):
- X(rbd): "null"
- name: restricted-vol-flexVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the flexVolume type volume is disallowed.
The fields spec.volumes[*].flexVolume must not be set.
pattern:
spec:
=(volumes):
- X(flexVolume): "null"
- name: restricted-vol-cinder
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the cinder type volume is disallowed.
The fields spec.volumes[*].cinder must not be set.
pattern:
spec:
=(volumes):
- X(cinder): "null"
- name: restricted-vol-cephFS
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the cephFS type volume is disallowed.
The fields spec.volumes[*].cephFS must not be set.
pattern:
spec:
=(volumes):
- X(cephFS): "null"
- name: restricted-vol-flocker
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the flocker type volume is disallowed.
The fields spec.volumes[*].flocker must not be set.
pattern:
spec:
=(volumes):
- X(flocker): "null"
- name: restricted-vol-fc
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the fc type volume is disallowed.
The fields spec.volumes[*].fc must not be set.
pattern:
spec:
=(volumes):
- X(fc): "null"
- name: restricted-vol-azureFile
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the azureFile type volume is disallowed.
The fields spec.volumes[*].azureFile must not be set.
pattern:
spec:
=(volumes):
- X(azureFile): "null"
- name: restricted-vol-vsphereVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the vsphereVolume type volume is disallowed.
The fields spec.volumes[*].vsphereVolume must not be set.
pattern:
spec:
=(volumes):
- X(vsphereVolume): "null"
- name: restricted-vol-quobyte
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the quobyte type volume is disallowed.
The fields spec.volumes[*].quobyte must not be set.
pattern:
spec:
=(volumes):
- X(quobyte): "null"
- name: restricted-vol-azureDisk
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the azureDisk type volume is disallowed.
The fields spec.volumes[*].azureDisk must not be set.
pattern:
spec:
=(volumes):
- X(azureDisk): "null"
- name: restricted-vol-portworxVolume
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the portworxVolume type volume is disallowed.
The fields spec.volumes[*].portworxVolume must not be set.
pattern:
spec:
=(volumes):
- X(portworxVolume): "null"
- name: restricted-vol-scaleIO
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the scaleIO type volume is disallowed.
The fields spec.volumes[*].scaleIO must not be set.
pattern:
spec:
=(volumes):
- X(scaleIO): "null"
- name: restricted-vol-storageos
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the storageos type volume is disallowed.
The fields spec.volumes[*].storageos must not be set.
pattern:
spec:
=(volumes):
- X(storageos): "null"
- name: restricted-vol-csi
match:
resources:
kinds:
- Pod
validate:
message: >-
Use of the csi type volume is disallowed.
The fields spec.volumes[*].csi must not be set.
pattern:
spec:
=(volumes):
- X(csi): "null"
Last modified January 2, 2021: fix titles (9a0d72f)