All Policies

Block Images with Volumes

OCI images may optionally be built with VOLUME statements which, if run in read-only mode, would still result in write access to the specified location. This may be unexpected and undesirable. This policy checks the contents of every container image and inspects them for such VOLUME statements, then blocks if found.

Policy Definition

/other-vpol/block-images-with-volumes/block-images-with-volumes.yaml

 1apiVersion: policies.kyverno.io/v1alpha1
 2kind: ValidatingPolicy
 3metadata:
 4  name: block-images-with-volumes
 5  annotations:
 6    policies.kyverno.io/title: Block Images with Volumes
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.15.0
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      OCI images may optionally be built with VOLUME statements which, if run
13      in read-only mode, would still result in write access to the specified location.
14      This may be unexpected and undesirable. This policy checks the contents of every
15      container image and inspects them for such VOLUME statements, then blocks if found.
16spec:
17  evaluation:
18    background:
19      enabled: true
20  validationActions: ["Audit"]
21  variables:
22    - name: allContainers
23      expression: 'object.spec.containers + object.spec.?initContainers.orValue([]) + object.spec.?ephemeralContainers.orValue([])'
24  matchConstraints:
25    resourceRules:
26      - resources: ["pods"]
27        operations: ["CREATE", "UPDATE"]
28        apiGroups: [""]
29        apiVersions: ["v1"]
30  validations:
31    - message: "Images containing built-in volumes are prohibited."
32      expression: 'variables.allContainers.all(container, !has(image.GetMetadata(container.image).config.Volumes) || size(image.GetMetadata(container.image).config.?Volumes.orValue({})) == 0)'
Create policy issue