All Policies
Require StorageClass
PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass to dynamically provision storage. In a multi-tenancy environment where StorageClasses are far more common, it is often better to require storage only be provisioned from these StorageClasses. This policy requires that PVCs and StatefulSets containing volumeClaimTemplates define the storageClassName field with some value.
Policy Definition
/other/require-storageclass/require-storageclass.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: require-storageclass
5 annotations:
6 policies.kyverno.io/title: Require StorageClass
7 policies.kyverno.io/category: Other, Multi-Tenancy
8 policies.kyverno.io/severity: medium
9 policies.kyverno.io/subject: PersistentVolumeClaim, StatefulSet
10 policies.kyverno.io/description: >-
11 PersistentVolumeClaims (PVCs) and StatefulSets may optionally define a StorageClass
12 to dynamically provision storage. In a multi-tenancy environment where StorageClasses are
13 far more common, it is often better to require storage only be provisioned from these
14 StorageClasses. This policy requires that PVCs and StatefulSets containing
15 volumeClaimTemplates define the storageClassName field with some value.
16spec:
17 validationFailureAction: audit
18 background: true
19 rules:
20 - name: pvc-storageclass
21 match:
22 any:
23 - resources:
24 kinds:
25 - PersistentVolumeClaim
26 validate:
27 message: "PersistentVolumeClaims must define a storageClassName."
28 pattern:
29 spec:
30 storageClassName: "?*"
31 - name: ss-storageclass
32 match:
33 any:
34 - resources:
35 kinds:
36 - StatefulSet
37 validate:
38 message: "StatefulSets must define a storageClassName."
39 pattern:
40 spec:
41 =(volumeClaimTemplates):
42 - spec:
43 storageClassName: "?*"