feat: mount-volumes-for-ephemeral-containers policy

other/mount-volumes-for-ephemeral-containers/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,55 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: mount-volumes-for-ephemeral-containers
+spec:
+  timeouts:
+    cleanup: 60s
+  steps:
+    - name: step-01
+      try:
+        - apply:
+            file: ../mount-volumes-for-ephemeral-containers.yaml
+        - assert:
+            file: policy-ready.yaml
+    - name: step-02
+      try:
+        - apply:
+            file: pods.yaml
+        - assert:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: pod1
+                namespace: default
+                labels:
+                  ephemeral-debug: "true"
+              spec:
+                (volumes[?name == 'ephemeralcontainer-tmp-tcpdump-volume']):
+                  - emptyDir:
+                      sizeLimit: 1G
+    - name: step-03
+      try:
+        - script:
+            content: kubectl debug -it pod1 --image=busybox:1.35 --target=busybox --attach=false -c pod1-dbg
+    - name: step-04
+      try:
+        - assert:
+            resource:
+              apiVersion: v1
+              kind: Pod
+              metadata:
+                name: pod1
+                namespace: default
+                labels:
+                  ephemeral-debug: "true"
+              spec:
+                ephemeralContainers:
+                  - name: pod1-dbg
+                    securityContext:
+                      readOnlyRootFilesystem: true
+                    volumeMounts:
+                      - mountPath: /tmp
+                        name: ephemeralcontainer-tmp-tcpdump-volume

other/mount-volumes-for-ephemeral-containers/.chainsaw-test/pods.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod1
+  namespace: default
+  labels:
+    ephemeral-debug: "true"
+spec:
+  containers:
+    - name: busybox
+      image: busybox:1.35
+      command: ["sh", "-c", "while true; do sleep 3600; done"]

other/mount-volumes-for-ephemeral-containers/.chainsaw-test/policy-ready.yaml

@@ -0,0 +1,9 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mount-volumes-for-ephemeral-containers
+status:
+  conditions:
+    - reason: Succeeded
+      status: "True"
+      type: Ready

other/mount-volumes-for-ephemeral-containers/artifacthub-pkg.yml

@@ -0,0 +1,19 @@
+name: mount-volumes-for-ephemeral-containers
+version: 1.0.0
+displayName: Mount volumes for ephemeral containers
+createdAt: "2025-01-22T00:00:00.000Z"
+description: >-
+  Mount volumes and set default security context for ephemeral containers
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml
+keywords:
+  - kyverno
+  - other
+readme: |
+  This Kyverno policy adds a temporary volume to debug Pods, enforces read-only filesystems for ephemeral containers, and mounts the volume at /tmp.
+annotations:
+  kyverno/category: "Sample"
+  kyverno/kubernetesVersion: "1.23"
+  kyverno/subject: "Pod"
+digest: ff08e4dc69d074870c5cdb4d052967c7c0ef5668

other/mount-volumes-for-ephemeral-containers/mount-volumes-for-ephemeral-containers.yaml

@@ -0,0 +1,75 @@
+apiVersion : kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: mount-volumes-for-ephemeral-containers
+spec:
+  background: false
+  rules:
+    - name: add-volume-to-debug-pod
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - default
+              selector:
+                matchLabels:
+                  ephemeral-debug: "true"
+              operations:
+                - CREATE
+      mutate:
+        patchStrategicMerge:
+          spec:
+            volumes:
+              - name: ephemeralcontainer-tmp-tcpdump-volume
+                emptyDir:
+                  sizeLimit: 1G
+    - name: mutate-ephemeralcontainers-readonlyrootfilesystem
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - default
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
+            operator: GreaterThanOrEquals
+            value: 1
+      mutate:
+        foreach:
+          - list: "request.object.spec.ephemeralContainers[]"
+            patchStrategicMerge:
+              spec:
+                ephemeralContainers:
+                  - name: "{{ element.name }}"
+                    +(securityContext):
+                      +(readOnlyRootFilesystem): true
+    - name: add-volumemount
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+              namespaces:
+                - default
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
+            operator: GreaterThanOrEquals
+            value: 1
+          - key: "{{ request.object.spec.ephemeralContainers[].volumeMounts[?name=='ephemeralcontainer-tmp-tcpdump-volume'] | `[]` | length(@) }}"
+            operator: LessThan
+            value: "{{ request.object.spec.ephemeralContainers[] || `[]` | length(@) }}"
+      mutate:
+        foreach:
+          - list: "request.object.spec.ephemeralContainers"
+            patchStrategicMerge:
+              spec:
+                ephemeralContainers:
+                  - name: "{{ element.name }}"
+                    volumeMounts:
+                      - mountPath: /tmp
+                        name: ephemeralcontainer-tmp-tcpdump-volume