Restrict StorageClass

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-storageclass
 5  annotations:
 6    policies.kyverno.io/title: Restrict StorageClass
 7    policies.kyverno.io/category: Other, Multi-Tenancy
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: StorageClass
10    policies.kyverno.io/description: >-
11      StorageClasses allow description of custom "classes" of storage offered
12      by the cluster, based on quality-of-service levels, backup policies, or
13      custom policies determined by the cluster administrators. For shared StorageClasses
14      in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure
15      a PersistentVolume cannot be reused across Namespaces. This policy requires
16      StorageClasses set a reclaimPolicy of `Delete`.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21  - name: storageclass-delete
22    match:
23      any:
24      - resources:
25          kinds:
26          - StorageClass
27    validate:
28      message: "StorageClass must define a reclaimPolicy of Delete."
29      pattern:
30        reclaimPolicy: Delete