add restrict-volume-types policy

Signed-off-by: Sebastian Hoß <seb@xn--ho-hia.de>

Author: sebhoss

components/policies/pod-security-standards/restricted/restrict-volume-types/README.md

@@ -0,0 +1,23 @@
+<!--
+SPDX-FileCopyrightText: The vap-collection Authors
+SPDX-License-Identifier: Apache-2.0
+ -->
+
+# restrict-volume-types
+
+Verifies that pods only specify volumes using the following types:
+
+- `configMap`
+- `csi`
+- `downwardAPI`
+- `emptyDir`
+- `ephemeral`
+- `persistentVolumeClaim`
+- `projected`
+- `secret`
+
+Use the following query to list all pods in your cluster along with their current volume type usage:
+
+```shell
+kubectl get pods --all-namespaces --output yaml | yq '.items[] | select(.spec.volumes[] | (has("configMap") | not and has("csi") | not and has("downwardAPI") | not and has("emptyDir") | not and has("ephemeral") | not and has("persistentVolumeClaim") | not and has("projected") | not and has("secret") | not)) | .metadata.namespace + "/" + .metadata.name'
+```

components/policies/pod-security-standards/restricted/restrict-volume-types/binding.yaml

@@ -0,0 +1,12 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: restrict-volume-types
+  labels:
+    app.kubernetes.io/name: restrict-volume-types
+    app.kubernetes.io/component: pod-security-standards-baseline
+spec:
+  policyName: restrict-volume-types
+  validationActions: [Deny]

components/policies/pod-security-standards/restricted/restrict-volume-types/kustomization.yaml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - binding.yaml
+  - policy.yaml

components/policies/pod-security-standards/restricted/restrict-volume-types/policy.yaml

@@ -0,0 +1,53 @@
+# SPDX-FileCopyrightText: The vap-collection Authors
+# SPDX-License-Identifier: Apache-2.0
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: restrict-volume-types
+  labels:
+    app.kubernetes.io/name: restrict-volume-types
+    app.kubernetes.io/component: pod-security-standards-baseline
+spec:
+  failurePolicy: Fail
+  matchConstraints:
+    resourceRules:
+      - apiGroups:    [""]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["pods"]
+        scope:        "Namespaced"
+      - apiGroups:    ["apps"]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["daemonsets", "deployments", "statefulsets"]
+        scope:        "Namespaced"
+      - apiGroups:    ["batch"]
+        apiVersions:  ["v1"]
+        operations:   ["CREATE", "UPDATE"]
+        resources:    ["cronjobs", "jobs"]
+        scope:        "Namespaced"
+  variables:
+    - expression: object.spec.?template.?spec.?volumes.orValue([])
+      name: controllerVolumes
+    - expression: object.spec.?jobTemplate.?spec.?template.?spec.?volumes.orValue([])
+      name: cronJobVolumes
+    - expression: object.spec.?volumes.orValue([])
+      name: podVolumes
+    - expression: variables.controllerVolumes + variables.cronJobVolumes + variables.podVolumes
+      name: allUsedVolumes
+  validations:
+    - expression:
+        variables.allUsedVolumes.all(volume,
+          has(volume.configMap) ||
+          has(volume.csi) ||
+          has(volume.downwardAPI) ||
+          has(volume.emptyDir) ||
+          has(volume.ephemeral) ||
+          has(volume.persistentVolumeClaim) ||
+          has(volume.projected) ||
+          has(volume.secret))
+      message: 'Only the following types of volumes may be used: configMap, csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.'
+      reason: Invalid
+  auditAnnotations:
+    - key: name
+      valueExpression: string(object.metadata.name)