Skip to content
/ persistentvolumeclaim-storageclass-policy Public

Policy that validates and adjusts the usage of StorageClasses in PersistentVolumeClaims

kubewarden.io

License

Apache-2.0 license
1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kubewarden/persistentvolumeclaim-storageclass-policy

BranchesTags

Repository files navigation

Kubewarden Policy Repository Stable

Restrict StorageClasses in PersistentVolumeClaims

This Kubewarden policy is designed to enhance the security and manageability of Kubernetes clusters by preventing the use of certain storage classes within PersistentVolumeClaim (PVC) objects. The policy provides an option to configure a fallback storage class, offering a seamless alternative when a denied storage class is requested.

Configuration

The policy is configurable to meet the needs of different Kubernetes environments. Below is the structure of the policy's configuration parameters:

# List of storage classes that are not allowed
deniedStorageClasses:
- fast
- nvme

# Optional: Specifies the fallback storage class to use when a denied storage class is requested
fallbackStorageClass: slow

The fallback storage class is optional. If not specified, the policy will reject. Furthermore, the fallbackStorageClass values cannot be defined in the deniedStorageClasses list.

How It Works

The policy operates by evaluating the storageClassName specified in PersistentVolumeClaim objects. If a PVC requests a storage class listed in deniedStorageClasses, the policy action will depend on the configuration:

  • Without a fallbackStorageClass specified, the PVC will be rejected.
  • With a fallbackStorageClass specified, the PVC will be mutated to use the fallback storage class, allowing the request to proceed.

Examples

Example 1: Rejecting a Denied Storage Class

Given the configuration:

deniedStorageClasses:
- fast

A PVC with storageClassName: fast will be rejected:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: task-pv-claim
spec:
  storageClassName: fast
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi

Example 2: Accepting and Mutating to Fallback Storage Class

With the following configuration:

deniedStorageClasses:
- fast
fallbackStorageClass: cheap

A PVC requesting a denied storage class will be mutated to use the fallback class cheap, thus being accepted:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: task-pv-claim
spec:
  storageClassName: fast
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi

Will be mutated to:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: task-pv-claim
spec:
  storageClassName: cheap
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi

About

Policy that validates and adjusts the usage of StorageClasses in PersistentVolumeClaims

kubewarden.io

Topics

kubernetes webassembly hacktoberfest policy-as-code kubernetes-security kubewarden-policy

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

7 watching

Forks

2 forks
Report repository

Releases 2

Release v0.1.1 Latest
Mar 25, 2024
+ 1 release

Packages

 
 
 

Contributors 4

  •  
  •  
  •  
  •  

Languages