Restrict Volume Types

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-volume-types
 5  annotations:
 6    policies.kyverno.io/title: Restrict Volume Types
 7    policies.kyverno.io/category: Pod Security Standards (Restricted)
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod,Volume
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.22-1.23"
12    kyverno.io/kyverno-version: 1.6.0
13    policies.kyverno.io/description: >-
14      In addition to restricting HostPath volumes, the restricted pod security profile
15      limits usage of non-core volume types to those defined through PersistentVolumes.
16      This policy blocks any other type of volume other than those in the allow list.      
17spec:
18  validationFailureAction: audit
19  background: true
20  rules:
21    - name: restricted-volumes
22      match:
23        any:
24        - resources:
25            kinds:
26              - Pod
27      validate:
28        message: >-
29          Only the following types of volumes may be used: configMap, csi, downwardAPI,
30          emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.          
31        deny:
32          conditions:
33            all:
34            - key: "{{ request.object.spec.volumes[].keys(@)[] || '' }}"
35              operator: AnyNotIn
36              value:
37              - name
38              - configMap
39              - csi
40              - downwardAPI
41              - emptyDir
42              - ephemeral
43              - persistentVolumeClaim
44              - projected
45              - secret
46              - ''