[Sample] Mount volumes for ephemeral containers

[realshuting]

Problem Statement

Add the sample policy to mount volumes and set default security context for ephemeral containers. To break down the following policy:

1. the first rule adds the volume to pods with the label ephemeral-debug: true
2. the second rule adds the default security context to ephemeral containers
3. the third rule mounts the volume added by the first rule to ephemeral containers

apiVersion : kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mount-volumes-for-ephemeral-containers
spec:
  background: false
  rules:
  - name: add-volume-to-debug-pod
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
          selector:
            matchLabels:
              ephemeral-debug: "true"
          operations:
          - CREATE
    mutate:
      patchStrategicMerge:
        spec:
          volumes:
          - name: ephemeralcontainer-tmp-tcpdump-volume
            emptyDir:
              sizeLimit: 1G
  - name: mutate-ephemeralcontainers-readonlyrootfilesystem
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
    preconditions:
       all:
       - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
         operator: GreaterThanOrEquals
         value: 1
    mutate:
      foreach:
        - list: "request.object.spec.ephemeralContainers[]"
          patchStrategicMerge:
            spec:
              ephemeralContainers:
              - name: "{{ element.name }}"
                +(securityContext):
                  +(readOnlyRootFilesystem): true
  - name: add-volumemount
    match:
      any:
      - resources:
          kinds:
          - Pod
          namespaces:
          - default
    preconditions:
       all:
       - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
         operator: GreaterThanOrEquals
         value: 1
       - key: "{{ request.object.spec.ephemeralContainers[].volumeMounts[?name=='ephemeralcontainer-tmp-tcpdump-volume'] | `[]` | length(@) }}"
         operator: LessThan
         value: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
    mutate:
      foreach:
        - list: "request.object.spec.ephemeralContainers"
          patchStrategicMerge:
            spec:
              ephemeralContainers:
              - name: "{{ element.name }}"
                volumeMounts:
                - mountPath: /tmp
                  name: ephemeralcontainer-tmp-tcpdump-volume

It would be good to add Chainsaw tests for this policy, the test scenarios:

1. create the policy
2. create a pod with the label ephemeral-debug: true
3. verify the volume is added to the pod
4. create the ephemeral container, for example kubectl debug -it nginx-64ff7dcdf4-5jbmb --image=network-multitool:v1 --target nginx -- bash
5. verify the security context and volumeMounts are added to ephemeral containers

Solution Description

See above.

Example "Good" Resource

No response

Example "Bad" Resource

No response

Other Comments

No response

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1721654971501889

Troubleshooting

• I have read and followed the documentation AND the troubleshooting guide.
• I have verified the policy does not exist in the samples library.

[husnialhamdani]

/assign