Allow ImageVolume for Restricted PSA profiles

Stop referring to ImageVolume as an unknown type during pod security admission validation. Avoid restricting ImageVolume for the Restricted profile, as users who can create a pod with a certain image should also be able to use ImageVolume with an image. Signed-off-by: bmordeha <bmordeha@redhat.com>
2025-09-14 05:36:12 +00:00 · 2025-02-24 15:09:22 +02:00
parent 7bd0477a95
commit 059dee36f8
2 changed files with 3 additions and 0 deletions
--- a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go
@@ -36,6 +36,7 @@ limits usage of inline pod volume sources to:
 * csi
 * persistentVolumeClaim
 * ephemeral
+* image

 **Restricted Fields:**

@@ -95,6 +96,7 @@ func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSp
 			volume.DownwardAPI != nil,
 			volume.EmptyDir != nil,
 			volume.Ephemeral != nil,
+			volume.Image != nil,
 			volume.PersistentVolumeClaim != nil,
 			volume.Projected != nil,
 			volume.Secret != nil:
--- a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go
+++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes_test.go
@@ -42,6 +42,7 @@ func TestRestrictedVolumes(t *testing.T) {
 					{Name: "a6", VolumeSource: corev1.VolumeSource{Projected: &corev1.ProjectedVolumeSource{}}},
 					{Name: "a7", VolumeSource: corev1.VolumeSource{CSI: &corev1.CSIVolumeSource{}}},
 					{Name: "a8", VolumeSource: corev1.VolumeSource{Ephemeral: &corev1.EphemeralVolumeSource{}}},
+					{Name: "a9", VolumeSource: corev1.VolumeSource{Image: &corev1.ImageVolumeSource{}}},

 					// known restricted types
 					{Name: "b1", VolumeSource: corev1.VolumeSource{HostPath: &corev1.HostPathVolumeSource{}}},