Policy that inspects containers, init containers, and ephemeral containers, and
restricts their usage of volumes by checking the volume
name being used in
volumeMounts[*].name
.
The policy can either target Pods
, or workload
resources (Deployments
,
ReplicaSets
, DaemonSets
, ReplicationControllers
, Jobs
, CronJobs
) by
setting the policy's spec.rules
accordingly.
Both have trade-offs:
reject: anyIn # one of anyIn (default, denylist), anyNotIn (allowlist), allAreUsed, notAllAreUsed
volumeMountsNames: # list of volumeMounts.name to match using the defined reject operator
- foo
- bar
- baz
anyIn
(default): checks if any of the volumeMountsNames are in the Pod/Workload resourceanyNotIn
: checks if any of the volumeMountsNames are not in the Pod/Workload resourceallAreUsed
: checks if all of the volumeMountsNames are in the Pod/Workload resourcenotAllAreUsed
: checks if all of the volumeMountsNames are not in the Pod/Workload resource# denylist, reject volumeMounts named `my-volume` or `my-volume2`
reject: anyIn
volumeMountsNames:
- my-volume
- my-volume2
# allowlist, only allow volumeMounts named `my-volume3` or `my-volume4`
reject: anyNotIn
volumeMountsNames:
- my-volume3
- my-volume4
# container cannot use both volumes at once, only one or the other
reject: allAreUsed
volumeMountsNames:
- my-volume5
- my-volume6
# container can use both volumes at once, but not only one of them
reject: notAllAreUsed
volumeMountsNames:
- my-volume5
- my-volume6