Allow ImageVolume for Restricted PSA profiles

Stop referring to ImageVolume as an unknown type during pod security admission validation.
Avoid restricting ImageVolume for the Restricted profile, as users who can create a pod
with a certain image should also be able to use ImageVolume with an image.

Signed-off-by: bmordeha <[email protected]>

Author: Barakmor1

staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go

@@ -36,6 +36,7 @@ limits usage of inline pod volume sources to:
 * csi
 * persistentVolumeClaim
 * ephemeral
+* image
 
 **Restricted Fields:**
 
@@ -95,6 +96,7 @@ func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSp
 			volume.DownwardAPI != nil,
 			volume.EmptyDir != nil,
 			volume.Ephemeral != nil,
+			volume.Image != nil,
 			volume.PersistentVolumeClaim != nil,
 			volume.Projected != nil,
 			volume.Secret != nil:

staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go

@@ -42,6 +42,7 @@ func TestRestrictedVolumes(t *testing.T) {
 					{Name: "a6", VolumeSource: corev1.VolumeSource{Projected: &corev1.ProjectedVolumeSource{}}},
 					{Name: "a7", VolumeSource: corev1.VolumeSource{CSI: &corev1.CSIVolumeSource{}}},
 					{Name: "a8", VolumeSource: corev1.VolumeSource{Ephemeral: &corev1.EphemeralVolumeSource{}}},
+					{Name: "a9", VolumeSource: corev1.VolumeSource{Image: &corev1.ImageVolumeSource{}}},
 
 					// known restricted types
 					{Name: "b1", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{}}},