Incorrect Volume Claim Access Mode ReadWriteOnce

YAML Configuration

rule.yaml YAML

apiVersion: rules.spotter.dev/v1alpha1
kind: SpotterRule
metadata:
  name: spotter-config-009
  labels:
    severity: "low"
    category: "config"
  annotations:
    rules.spotter.dev/title: "Incorrect Volume Claim Access Mode ReadWriteOnce"
    rules.spotter.dev/version: "1.0.0"
    rules.spotter.dev/cwe: "CWE-665"
    rules.spotter.dev/description: "PersistentVolumeClaims with `ReadWriteOnce` access mode can only be mounted by a single node. Ensure this is appropriate for your workload, especially in multi-replica deployments."
spec:
  match:
    resources:
      kubernetes:
        apiGroups: ["", "apps"]
        versions: ["v1"]
        kinds: ["PersistentVolumeClaim", "StatefulSet"]
        namespaces:
          include: ["*"]
          exclude: ["kube-system", "kube-public"]
        labels:
          exclude:
            rules.spotter.dev/ignore: ["true"]
  cel: |
    (object.kind == "PersistentVolumeClaim" && has(object.spec.accessModes) && object.spec.accessModes.exists(mode, mode == "ReadWriteOnce")) ||
    (object.kind == "StatefulSet" && has(object.spec.volumeClaimTemplates) && object.spec.volumeClaimTemplates.exists(vct, has(vct.spec.accessModes) && vct.spec.accessModes.exists(mode, mode == "ReadWriteOnce")))
  remediation:
    manual: "If shared access is required for multiple pods or nodes, consider using `ReadWriteMany` or `ReadOnlyMany` access modes for your PersistentVolumeClaim, if supported by your storage provisioner."
  references:
    - title: "Kubernetes Persistent Volumes"
      url: "https://kubernetes.io/docs/concepts/storage/persistent-volumes/"

Test Cases

test-cases.yaml YAML

- name: insecure sample 1 should fail
  pass: false
  input: |
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: web
    spec:
      selector:
        matchLabels:
          app: nginx # has to match .spec.template.metadata.labels
      serviceName: "nginx"
      replicas: 3 # by default is 1
      template:
        metadata:
          labels:
            app: nginx # has to match .spec.selector.matchLabels
        spec:
          terminationGracePeriodSeconds: 10
          containers:
          - name: nginx
            image: k8s.gcr.io/nginx-slim:0.8
            ports:
            - containerPort: 80
              name: web
            volumeMounts:
            - name: www
              mountPath: /usr/share/nginx/html
      volumeClaimTemplates:
      - metadata:
          name: www
        spec:
          accessModes: [ "ReadWriteMany" ]
          storageClassName: "my-storage-class"
          resources:
            requests:
              storage: 1Gi
      - metadata:
          name: aaa
        spec:
          accessModes: [ "ReadWriteMany" ]
          storageClassName: "my-storage-class"
          resources:
            requests:
              storage: 1Gi
- name: insecure sample 2 should fail 
  pass: false
  input: |
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: web2
    spec:
      selector:
        matchLabels:
          app: nginx # has to match .spec.template.metadata.labels
      serviceName: "nginx"
      replicas: 3 # by default is 1
      template:
        metadata:
          labels:
            app: nginx # has to match .spec.selector.matchLabels
        spec:
          terminationGracePeriodSeconds: 10
          containers:
          - name: nginx
            image: k8s.gcr.io/nginx-slim:0.8
            ports:
            - containerPort: 80
              name: web
            volumeMounts:
            - name: www
              mountPath: /usr/share/nginx/html
      volumeClaimTemplates:
      - metadata:
          name: www
        spec:
          accessModes: [ "ReadWrite" ]
          storageClassName: "my-storage-class"
          resources:
            requests:
              storage: 1Gi
      - metadata:
          name: aaa
        spec:
          accessModes: [ "ReadWrite" ]
          storageClassName: "my-storage-class"
          resources:
            requests:
              storage: 1Gi

- name: secure sample 1 should pass
  pass: true
  input: |
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: web
    spec:
      selector:
        matchLabels:
          app: nginx # has to match .spec.template.metadata.labels
      serviceName: "nginx"
      replicas: 3 # by default is 1
      template:
        metadata:
          labels:
            app: nginx # has to match .spec.selector.matchLabels
        spec:
          terminationGracePeriodSeconds: 10
          containers:
          - name: nginx
            image: k8s.gcr.io/nginx-slim:0.8
            ports:
            - containerPort: 80
              name: web
            volumeMounts:
            - name: www
              mountPath: /usr/share/nginx/html
      volumeClaimTemplates:
      - metadata:
          name: www
        spec:
          accessModes: [ "ReadWriteMany" ]
          storageClassName: "my-storage-class"
          resources:
            requests:
              storage: 1Gi

Validating Admission Policy

validating-admission-policy.yaml YAML

# VAP export for spotter-config-009
# Generated from Spotter rule
apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingAdmissionPolicy
metadata:
  name: spotter-config-009
spec:
  # Add your VAP configuration here

Rule Metadata

Incorrect Volume Claim Access Mode ReadWriteOnce

YAML Configuration

Test Cases

Validating Admission Policy

Rule Metadata

Rule Information

Tags & Compliance

Compliance Standards

General Tags

Spotter Hub