All Policies

Require Requests and Limits for emptyDir

Pods which mount emptyDir volumes may be allowed to potentially overrun the medium backing the emptyDir volume. This sample ensures that any initContainers or containers mounting an emptyDir volume have ephemeral-storage requests and limits set.

Policy Definition

/other/require_emptydir_requests_limits/require-emptydir-requests-limits.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-emptydir-requests-and-limits
 5  annotations:
 6    policies.kyverno.io/title: Require Requests and Limits for emptyDir
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/minversion: 1.6.0
10    kyverno.io/kyverno-version: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Pods which mount emptyDir volumes may be allowed to potentially overrun
15      the medium backing the emptyDir volume. This sample ensures that any
16      initContainers or containers mounting an emptyDir volume have
17      ephemeral-storage requests and limits set.         
18spec:
19  background: false
20  validationFailureAction: audit
21  rules:
22  - name: check-emptydir-requests-limits
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{ request.object.spec.volumes[?contains(keys(@), 'emptyDir')] || '' | length(@) }}"
31        operator: GreaterThanOrEquals
32        value: 1
33      - key: "{{request.operation}}"
34        operator: In
35        value:
36        - CREATE
37        - UPDATE
38    validate:
39      message: Containers mounting emptyDir volumes must specify requests and limits for ephemeral-storage.
40      foreach:
41      - list: "request.object.spec.volumes[?contains(keys(@), 'emptyDir')]"
42        elementScope: false
43        deny:
44          conditions:
45            any:
46              # get the number of containers (based on name) which mount this emptyDir (by name)
47            - key: "{{request.object.spec.[initContainers, containers][].volumeMounts[?name == '{{ element.name }}' ][].name | length(@) }}"
48              operator: NotEquals
49              # compare it to the number of containers (also mounting this same emptyDir vol by name) which have ephemeral-storage requests.
50              # block if the two numbers aren't equal. If limits are specified but not requests, requests are automatically
51              # set equal to the value of the limit. Therefore, this condition only works effectively if both requests and limits are not set.
52              value: "{{request.object.spec.[initContainers, containers[?volumeMounts[?name == '{{element.name}}' ]]][].resources.requests.\"ephemeral-storage\" | length(@) }}"
53            - key: "{{request.object.spec.[initContainers, containers][].volumeMounts[?name == '{{ element.name }}' ][].name | length(@) }}"
54              operator: NotEquals
55              # same as above but with limits
56              value: "{{request.object.spec.[initContainers, containers[?volumeMounts[?name == '{{element.name}}' ]]][].resources.limits.\"ephemeral-storage\" | length(@) }}"
57
Create policy issue