Block Images with Volumes

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: block-images-with-volumes
 5  annotations:
 6    policies.kyverno.io/title: Block Images with Volumes
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      OCI images may optionally be built with VOLUME statements which could
15      allow unexpected mounting of host paths even if the manifest does not
16      specify them. This policy checks the contents of every container image
17      and inspects them for such VOLUME statements, then blocks if found.      
18spec:
19  validationFailureAction: audit
20  rules:
21  - name: block-images-with-vols
22    match:
23      any:
24      - resources:
25          kinds:
26          - Pod
27    preconditions:
28      all:
29      - key: "{{request.operation}}"
30        operator: NotEquals
31        value: DELETE
32    validate:
33      message: "Images containing built-in volumes are prohibited."
34      foreach:
35      - list: "request.object.spec.containers"
36        context: 
37        - name: imageData
38          imageRegistry: 
39            reference: "{{ element.image }}"
40        deny:
41          conditions:
42            all:
43              - key: "{{ imageData.configData.config.Volumes || '' | length(@) }}"
44                operator: GreaterThan
45                value: 0