Restrict Volume Types

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-volume-types
 5  annotations:
 6    policies.kyverno.io/title: Restrict Volume Types
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,Volume
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    kyverno.io/kyverno-version: 1.6.0
13    policies.kyverno.io/description: >-
14      In addition to restricting HostPath volumes, the restricted pod security profile
15      limits usage of non-core volume types to those defined through PersistentVolumes.
16      This policy blocks any other type of volume other than those in the allow list.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21    - name: restricted-volumes
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      preconditions:
28        all:
29        - key: "{{ request.operation || 'BACKGROUND' }}"
30          operator: NotEquals
31          value: DELETE
32      validate:
33        message: >-
34          Only the following types of volumes may be used: configMap, csi, downwardAPI,
35          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.          
36        deny:
37          conditions:
38            all:
39            - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
40              operator: AnyNotIn
41              value:
42              - name
43              - configMap
44              - csi
45              - downwardAPI
46              - emptyDir
47              - ephemeral
48              - persistentVolumeClaim
49              - projected
50              - secret
51              - ''