All Policies

Require Requests and Limits for emptyDir

Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set. Policy will be skipped if the volume has already a sizeLimit set.

Policy Definition

/other/require_emptydir_requests_limits/require-emptydir-requests-limits.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-emptydir-requests-and-limits
 5  annotations:
 6    policies.kyverno.io/title: Require Requests and Limits for emptyDir
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.6.0
10    kyverno.io/kyverno-version: 1.7.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Pods which mount emptyDir volumes may be allowed to potentially overrun
15      the medium backing the emptyDir volume. This sample ensures that any
16      initContainers or containers mounting an emptyDir volume have
17      ephemeral-storage requests and limits set. Policy will be skipped if
18      the volume has already a sizeLimit set.      
19spec:
20  background: false
21  validationFailureAction: audit
22  rules:
23    - name: check-emptydir-requests-limits
24      match:
25        any:
26          - resources:
27              kinds:
28                - Pod
29      preconditions:
30        all:
31          - key: "{{ request.object.spec.volumes[?contains(keys(@), 'emptyDir')] || '' | length(@) }}"
32            operator: GreaterThanOrEquals
33            value: 1
34          - key: "{{request.operation || 'BACKGROUND'}}"
35            operator: AnyIn
36            value:
37              - CREATE
38              - UPDATE
39      validate:
40        message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.
41        foreach:
42          - list: "request.object.spec.volumes[?contains(keys(@), 'emptyDir') && !contains(keys(emptyDir), 'sizeLimit')]"
43            elementScope: false
44            deny:
45              conditions:
46                any:
47                  # get the number of containers (based on name) which mount this emptyDir (by name)
48                  - key: "{{request.object.spec.[initContainers, containers][].volumeMounts[?name == '{{ element.name }}' ][].name | length(@) }}"
49                    operator: NotEquals
50                    # compare it to the number of containers (also mounting this same emptyDir vol by name) which have ephemeral-storage requests.
51                    # block if the two numbers aren't equal. If limits are specified but not requests, requests are automatically
52                    # set equal to the value of the limit. Therefore, this condition only works effectively if both requests and limits are not set.
53                    value: '{{request.object.spec.[initContainers, containers[?volumeMounts[?name == ''{{element.name}}'' ]]][].resources.requests."ephemeral-storage" | length(@) }}'
54                  - key: "{{request.object.spec.[initContainers, containers][].volumeMounts[?name == '{{ element.name }}' ][].name | length(@) }}"
55                    operator: NotEquals
56                    # same as above but with limits
57                    value: '{{request.object.spec.[initContainers, containers[?volumeMounts[?name == ''{{element.name}}'' ]]][].resources.limits."ephemeral-storage" | length(@) }}'
Create policy issue