PSP migration policy - Allowed Volume Types

[chipzoller]

From comment here, when 1.6.0 is released assuming support for kyverno/kyverno#2543 is available, this policy becomes possible:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: allowed-vols
spec:
  validationFailureAction: enforce
  background: false
  rules:
  - name: allowed-vols
    match:
      resources:
        kinds:
        - Pod
    preconditions:
      all:
      - key: "{{request.operation}}"
        operator: In
        value: 
        - CREATE
        - UPDATE
      - key: "{{ request.object.spec.volumes[].keys(@)[] | length(@) }}"
        operator: GreaterThan
        value: 0
    validate:
      message: "Only emptyDir and projected volumes are allowed."
      deny:
        conditions:
          all:
          - key: "{{ request.object.spec.volumes[].keys(@)[] }}"
            operator: AnyNotIn
            value:
            - name
            - projected
            - emptyDir

[chipzoller]

With the recent updates to the upstream Pod Security Standards, the control which previously was a deny list has been inverted into an allow list thereby covering this policy. PR #241 contains this file here. Since the request in this issue is now effectively the same as how this updated PSS policy is written, it doesn't make sense to duplicate the rule/policy.