All Policies
Add emptyDir sizeLimit
When a Pod requests an emptyDir, by default it does not have a size limit which may allow it to consume excess or all of the space in the medium backing the volume. This can quickly overrun a Node and may result in a denial of service for other workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir volumes, if not present, and sets it to 100Mi.
Policy Definition
/other/add_emptydir_sizelimit/add-emptydir-sizelimit.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: add-emptydir-sizelimit
5 annotations:
6 policies.kyverno.io/title: Add emptyDir sizeLimit
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/subject: Pod
9 policies.kyverno.io/minversion: 1.6.0
10 kyverno.io/kyverno-version: 1.7.3,1.8.0-rc2
11 kyverno.io/kubernetes-version: "1.24"
12 policies.kyverno.io/description: >-
13 When a Pod requests an emptyDir, by default it does not have a size limit which
14 may allow it to consume excess or all of the space in the medium backing the volume.
15 This can quickly overrun a Node and may result in a denial of service for other
16 workloads. This policy adds a sizeLimit field to all Pods mounting emptyDir
17 volumes, if not present, and sets it to 100Mi.
18spec:
19 rules:
20 - name: mutate-emptydir
21 match:
22 any:
23 - resources:
24 kinds:
25 - Pod
26 mutate:
27 foreach:
28 - list: "request.object.spec.volumes[]"
29 preconditions:
30 all:
31 - key: "{{element.keys(@)}}"
32 operator: AnyIn
33 value: emptyDir
34 - key: "{{element.emptyDir.sizeLimit || ''}}"
35 operator: Equals
36 value: ''
37 patchesJson6902: |-
38 - path: "/spec/volumes/{{elementIndex}}/emptyDir/sizeLimit"
39 op: add
40 value: 100Mi