From 08234b9cb108ab0c442ba5f506c63c4ce18015a1 Mon Sep 17 00:00:00 2001 From: Joe Bowbeer Date: Sun, 10 Dec 2023 17:00:54 -0800 Subject: [PATCH] fix: csi is an allowed volume type Signed-off-by: Joe Bowbeer --- checks/kubernetes/pss/restricted/1_non_core_volume_types.rego | 3 +-- .../pss/restricted/1_non_core_volume_types_test.rego | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego index 1ca5c9ae..fa7b2cfd 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types.rego @@ -51,7 +51,6 @@ disallowed_volume_types = [ "portworxVolume", "scaleIO", "storageos", - "csi", ] # getDisallowedVolumes returns a list of volume names @@ -71,6 +70,6 @@ failVolumeTypes { deny[res] { failVolumeTypes - msg := kubernetes.format(sprintf("%s '%s' should set 'spec.volumes[*]' to type 'PersistentVolumeClaim'", [kubernetes.kind, kubernetes.name])) + msg := kubernetes.format(sprintf("%s '%s' should set 'spec.volumes[*]' to an allowed volume type", [kubernetes.kind, kubernetes.name])) res := result.new(msg, input.spec) } diff --git a/checks/kubernetes/pss/restricted/1_non_core_volume_types_test.rego b/checks/kubernetes/pss/restricted/1_non_core_volume_types_test.rego index 2c29a510..616c117e 100644 --- a/checks/kubernetes/pss/restricted/1_non_core_volume_types_test.rego +++ b/checks/kubernetes/pss/restricted/1_non_core_volume_types_test.rego @@ -31,7 +31,7 @@ test_disallowed_volume_type_used_denied { } count(r) == 1 - r[_].msg == "Pod 'hello-volume-types' should set 'spec.volumes[*]' to type 'PersistentVolumeClaim'" + r[_].msg == "Pod 'hello-volume-types' should set 'spec.volumes[*]' to an allowed volume type" } test_no_volume_type_used_allowed {