Ensure only allowed FlexVolume Drivers are used in Kubernetes Cluster

Community Policy definition

Ensure only allowed FlexVolume Drivers are used in Kubernetes Cluster

{

displayName: "Ensure only allowed FlexVolume Drivers are used in Kubernetes Cluster",
policyType: "Custom",
mode: "Microsoft.Kubernetes.Data",
description: "This policy ensures only allowed FlexVolume Drivers are used in a Kubernetes cluster. For instructions on using this policy, please visit https://aka.ms/kubepolicydoc",
parameters: {3 items
- effect: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Effect",
    - description: "Enable or disable the execution of the policy"
    },
  - allowedValues: [3 items
    - "audit",
    - "deny",
    - "disabled"
    ],
  - defaultValue: "audit"
  },
- excludedNamespaces: {3 items
  - type: "Array",
  - metadata: {2 items
    - displayName: "Namespace exclusions",
    - description: "List of Kubernetes namespaces to exclude from policy evaluation. Providing a value for this parameter is optional."
    },
  - defaultValue: [3 items
    - "kube-system",
    - "gatekeeper-system",
    - "azure-arc"
    ]
  },
- allowedFlexVolumeDrivers: {3 items
  - type: "Array",
  - metadata: {2 items
    - displayName: "Allowed FlexVolume Drivers",
    - description: "List of FlexVolume Drivers that volumes are able to use. An empty list will block all FlexVolume drivers."
    },
  - defaultValue: []
  }
},
policyRule: {2 items
- if: {2 items
  - field: "type",
  - in: [3 items
    - "AKS Engine",
    - "Microsoft.Kubernetes/connectedClusters",
    - "Microsoft.ContainerService/managedClusters"
    ]
  },
- then: {2 items
  - effect: "[parameters('effect')]",
  - details: {3 items
    - constraintTemplate: "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/flexvolume-drivers/template.yaml",
    - constraint: "https://raw.githubusercontent.com/Azure/Community-Policy/master/Policies/Kubernetes/flexvolume-drivers/constraint.yaml",
    - values: {2 items
      - excludedNamespaces: "[parameters('excludedNamespaces')]",
      - allowedFlexVolumeDrivers: "[parameters('allowedFlexVolumeDrivers')]"
      }
    }
  }
}

}