Restrict Volume Types

Description

In addition to restricting HostPath volumes, the restricted pod security profile limits usage of non-core volume types to those defined through PersistentVolumes.

Restricted Fields

  • spec.volumes[*]

Allowed Values

Every item in the spec.volumes[*] list must set one of the following fields to a non-null value:

  • spec.volumes[*].configMap - Represents a configMap that should populate this volume.
  • spec.volumes[*].csi - Represents ephemeral storage that is handled by certain external CSI drivers.
  • spec.volumes[*].downwardAPI - Represents downward API about the pod that should populate this volume.
  • spec.volumes[*].emptyDir - Represents a temporary directory that shares a pod’s lifetime. More info: EmptyDir.
  • spec.volumes[*].ephemeral - Represents a volume that is handled by a cluster storage driver. The volume’s lifecycle is tied to the pod that defines it, it will be created before the pod starts, and deleted when the pod is removed.
  • spec.volumes[*].persistentVolumeClaim - Represents a reference to a PersistentVolumeClaim in the same namespace. More info: PersistentVolumeClaims.
  • spec.volumes[*].projected - Represents projected items for all-in-one resources secrets, configmaps, and downward API.
  • spec.volumes[*].secret - Represents a secret that should populate this volume. More info: Secret.

Risks

This policy restricts hostPath volumes and other non-core volumes. A hostPath volume mounts a file or directory from the host node’s filesystem into your Pod. This is not something that most Pods will need, but it offers a powerful escape hatch for some applications. There are some risks associated with using hostPath volumes:

  • Access to the host filesystem can expose privileged system credentials (such as for the kubelet) or privileged APIs (such as the container runtime socket), that can be used for container escape or to attack other parts of the cluster.
  • Pods with identical configuration (such as created from a PodTemplate) may behave differently on different nodes due to different files on the nodes.
  • hostPath volume usage is not treated as ephemeral storage usage. You need to monitor the disk usage by yourself because excessive hostPath disk usage will lead to disk pressure on the node.

Also, using Non-core volume types, especially those managed by external systems or third-party plugins, can introduce vulnerabilities. For instance, Container Storage Interface (CSI) drivers might have their own security flaws

Kyverno Policy

Refer to the Nirmata curated policies - restrict-volume-types.yaml

References

Configuration Settings

The request.object.spec.volumes[] should be one of the above mentioned volume types.

Resource Example

Below is a Deployment resource example where one of the keys in volumes[] is ephemeral and it is from the allowed list of volume types.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: gooddeployment06
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app
  template:
    metadata:
      labels:
        app: app
    spec:
      containers:
      - name: container01
        image: dummyimagename
        volumeMounts:
        - name: ephem
          mountPath: /ephem
      volumes:
      - name: ephem
        ephemeral:
          volumeClaimTemplate:
            metadata:
              labels:
                type: my-frontend-volume
            spec:
              accessModes: [ "ReadWriteOnce" ]
              storageClassName: "scratch-storage-class"
              resources:
                requests:
                  storage: 1Gi