As part of the PodSecurityPolicy rule, you may want to limit the use of a specific type of volume. In this recipe, you will learn how to restricts containers to volume types.
Let's perform the following steps to create a PodSecurityPolicy:
- Create a new restricted PodSecurityPolicy. This policy limits the type of volume to nfs only:
$ cat <<EOF | kubectl apply -f -
kind: PodSecurityPolicy
metadata:
name: restricted-vol-psp
spec:
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'nfs'
EOF
- Verify the policy by deploying an application that requires persistent storage. Here, we will use the MinIO example from previous chapters. The deployment should fail with a message stating persistentVolumeClaim volumes are not allowed to be used:
$ kubectl create -f
https://raw.githubusercontent.com/k8sdevopscookbook/src/master/chapter6/minio/minio.yaml
- Delete both the PSPs and the deployment:
$ kubectl delete psp restricted-vol-psp
$ kubectl delete -f
https://raw.githubusercontent.com/k8sdevopscookbook/src/master/chapter6/minio/minio.yaml
- The recommended set of allowed volumes for new PSPs are configMap, downwardAPI, emptyDir, persistentVolumeClaim, secret, and projected. You can find the complete list of volume types by going to the Type of volumes supported link in the See also section. Create a new restricted PodSecurityPolicy using the following content. This policy limits the type of volume to persistentVolumeClaim only:
$ cat <<EOF | kubectl apply -f -
kind: PodSecurityPolicy
metadata:
name: permit-pvc-psp
spec:
privileged: false
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- 'persistentVolumeClaim'
EOF
- Repeat Step 2 to deploy the application. This time, persistentVolumeClaim creation will be allowed and the PVC that was requested by the pod will be created.