All Policies
Restrict Volume Types
In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes. This policy blocks a number of different non-core volume types as named.
Policy Definition
/pod-security/restricted/restrict-volume-types/restrict-volume-types.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: restrict-volume-types
5 annotations:
6 policies.kyverno.io/category: Pod Security Standards (Restricted)
7 policies.kyverno.io/severity: medium
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/description: >-
10 In addition to restricting HostPath volumes, the restricted pod security profile
11 limits usage of non-core volume types to those defined through PersistentVolumes.
12 This policy blocks a number of different non-core volume types as named.
13spec:
14 background: true
15 validationFailureAction: audit
16 rules:
17 - name: restricted-vol-gcePersistentDisk
18 match:
19 resources:
20 kinds:
21 - Pod
22 validate:
23 message: >-
24 Use of the gcePersistentDisk type volume is disallowed.
25 The fields spec.volumes[*].gcePersistentDisk must not be set.
26 pattern:
27 spec:
28 =(volumes):
29 - X(gcePersistentDisk): "null"
30 - name: restricted-vol-awsElasticBlockStore
31 match:
32 resources:
33 kinds:
34 - Pod
35 validate:
36 message: >-
37 Use of the awsElasticBlockStore type volume is disallowed.
38 The fields spec.volumes[*].awsElasticBlockStore must not be set.
39 pattern:
40 spec:
41 =(volumes):
42 - X(awsElasticBlockStore): "null"
43 - name: restricted-vol-gitRepo
44 match:
45 resources:
46 kinds:
47 - Pod
48 validate:
49 message: >-
50 Use of the gitRepo type volume is disallowed.
51 The fields spec.volumes[*].gitRepo must not be set.
52 pattern:
53 spec:
54 =(volumes):
55 - X(gitRepo): "null"
56 - name: restricted-vol-nfs
57 match:
58 resources:
59 kinds:
60 - Pod
61 validate:
62 message: >-
63 Use of the nfs type volume is disallowed.
64 The fields spec.volumes[*].nfs must not be set.
65 pattern:
66 spec:
67 =(volumes):
68 - X(nfs): "null"
69 - name: restricted-vol-iscsi
70 match:
71 resources:
72 kinds:
73 - Pod
74 validate:
75 message: >-
76 Use of the iscsi type volume is disallowed.
77 The fields spec.volumes[*].iscsi must not be set.
78 pattern:
79 spec:
80 =(volumes):
81 - X(iscsi): "null"
82 - name: restricted-vol-glusterfs
83 match:
84 resources:
85 kinds:
86 - Pod
87 validate:
88 message: >-
89 Use of the glusterfs type volume is disallowed.
90 The fields spec.volumes[*].glusterfs must not be set.
91 pattern:
92 spec:
93 =(volumes):
94 - X(glusterfs): "null"
95 - name: restricted-vol-rbd
96 match:
97 resources:
98 kinds:
99 - Pod
100 validate:
101 message: >-
102 Use of the rbd type volume is disallowed.
103 The fields spec.volumes[*].rbd must not be set.
104 pattern:
105 spec:
106 =(volumes):
107 - X(rbd): "null"
108 - name: restricted-vol-flexVolume
109 match:
110 resources:
111 kinds:
112 - Pod
113 validate:
114 message: >-
115 Use of the flexVolume type volume is disallowed.
116 The fields spec.volumes[*].flexVolume must not be set.
117 pattern:
118 spec:
119 =(volumes):
120 - X(flexVolume): "null"
121 - name: restricted-vol-cinder
122 match:
123 resources:
124 kinds:
125 - Pod
126 validate:
127 message: >-
128 Use of the cinder type volume is disallowed.
129 The fields spec.volumes[*].cinder must not be set.
130 pattern:
131 spec:
132 =(volumes):
133 - X(cinder): "null"
134 - name: restricted-vol-cephfs
135 match:
136 resources:
137 kinds:
138 - Pod
139 validate:
140 message: >-
141 Use of the cephfs type volume is disallowed.
142 The fields spec.volumes[*].cephfs must not be set.
143 pattern:
144 spec:
145 =(volumes):
146 - X(cephfs): "null"
147 - name: restricted-vol-flocker
148 match:
149 resources:
150 kinds:
151 - Pod
152 validate:
153 message: >-
154 Use of the flocker type volume is disallowed.
155 The fields spec.volumes[*].flocker must not be set.
156 pattern:
157 spec:
158 =(volumes):
159 - X(flocker): "null"
160 - name: restricted-vol-fc
161 match:
162 resources:
163 kinds:
164 - Pod
165 validate:
166 message: >-
167 Use of the fc type volume is disallowed.
168 The fields spec.volumes[*].fc must not be set.
169 pattern:
170 spec:
171 =(volumes):
172 - X(fc): "null"
173 - name: restricted-vol-azureFile
174 match:
175 resources:
176 kinds:
177 - Pod
178 validate:
179 message: >-
180 Use of the azureFile type volume is disallowed.
181 The fields spec.volumes[*].azureFile must not be set.
182 pattern:
183 spec:
184 =(volumes):
185 - X(azureFile): "null"
186 - name: restricted-vol-vsphereVolume
187 match:
188 resources:
189 kinds:
190 - Pod
191 validate:
192 message: >-
193 Use of the vsphereVolume type volume is disallowed.
194 The fields spec.volumes[*].vsphereVolume must not be set.
195 pattern:
196 spec:
197 =(volumes):
198 - X(vsphereVolume): "null"
199 - name: restricted-vol-quobyte
200 match:
201 resources:
202 kinds:
203 - Pod
204 validate:
205 message: >-
206 Use of the quobyte type volume is disallowed.
207 The fields spec.volumes[*].quobyte must not be set.
208 pattern:
209 spec:
210 =(volumes):
211 - X(quobyte): "null"
212 - name: restricted-vol-azureDisk
213 match:
214 resources:
215 kinds:
216 - Pod
217 validate:
218 message: >-
219 Use of the azureDisk type volume is disallowed.
220 The fields spec.volumes[*].azureDisk must not be set.
221 pattern:
222 spec:
223 =(volumes):
224 - X(azureDisk): "null"
225 - name: restricted-vol-portworxVolume
226 match:
227 resources:
228 kinds:
229 - Pod
230 validate:
231 message: >-
232 Use of the portworxVolume type volume is disallowed.
233 The fields spec.volumes[*].portworxVolume must not be set.
234 pattern:
235 spec:
236 =(volumes):
237 - X(portworxVolume): "null"
238 - name: restricted-vol-scaleIO
239 match:
240 resources:
241 kinds:
242 - Pod
243 validate:
244 message: >-
245 Use of the scaleIO type volume is disallowed.
246 The fields spec.volumes[*].scaleIO must not be set.
247 pattern:
248 spec:
249 =(volumes):
250 - X(scaleIO): "null"
251 - name: restricted-vol-storageos
252 match:
253 resources:
254 kinds:
255 - Pod
256 validate:
257 message: >-
258 Use of the storageos type volume is disallowed.
259 The fields spec.volumes[*].storageos must not be set.
260 pattern:
261 spec:
262 =(volumes):
263 - X(storageos): "null"
264 - name: restricted-vol-csi
265 match:
266 resources:
267 kinds:
268 - Pod
269 validate:
270 message: >-
271 Use of the csi type volume is disallowed.
272 The fields spec.volumes[*].csi must not be set.
273 pattern:
274 spec:
275 =(volumes):
276 - X(csi): "null"
277