fix: clarify template behavior in description

artifacthub/library/general/storageclass/1.1.2/README.md

@@ -0,0 +1,17 @@
+# StorageClass
+
+The `StorageClass` constraint blocks the creation of PVCs or StatefulSets
+where the specified storage class doesn't exist on the cluster, or that no
+storage class at all is specified.
+
+This policy helps prevent workloads from getting stuck indefinitely waiting
+for a storage class to provision the persistent storage that will never
+happen. This often causes users to get confused as to why their pods are stuck
+pending, and requires deleting the StatefulSet and any PVCs it has created along
+with redeploying the workload in order to fix. Blocking it up front makes it
+much easier to fix before there is a mess to clean up.
+
+Optionally accepts an `allowedStorageClasses` parameter to restrict PVCs and
+StatefulSets to a subset list of allowed storage classes.
+
+> Please note that this policy requires Gatekeeper v3.9.0 or later.

artifacthub/library/general/storageclass/1.1.2/artifacthub-pkg.yml

@@ -0,0 +1,22 @@
+version: 1.1.2
+name: k8sstorageclass
+displayName: Storage Class
+createdAt: "2023-11-06T20:56:52Z"
+description: Requires storage classes to be specified when used. Only Gatekeeper 3.9+ is supported.
+digest: 549bc0b8e3aea2c4410798d4f5357a3dbd2bd4225b580104b44fd4659b840b4d
+license: Apache-2.0
+homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/storageclass
+keywords:
+    - gatekeeper
+    - open-policy-agent
+    - policies
+readme: |-
+    # Storage Class
+    Requires storage classes to be specified when used. Only Gatekeeper 3.9+ is supported.
+install: |-
+    ### Usage
+    ```shell
+    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/storageclass/1.1.2/template.yaml
+    ```
+provider:
+    name: Gatekeeper Library

artifacthub/library/general/storageclass/1.1.2/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - template.yaml

artifacthub/library/general/storageclass/1.1.2/samples/storageclass-allowlist/constraint.yaml

@@ -0,0 +1,15 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sStorageClass
+metadata:
+  name: allowed-storageclass
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["PersistentVolumeClaim"]
+      - apiGroups: ["apps"]
+        kinds: ["StatefulSet"]
+  parameters:
+    includeStorageClassesInMessage: true
+    allowedStorageClasses:
+      - allowed-storage-class

artifacthub/library/general/storageclass/1.1.2/samples/storageclass-allowlist/example_allowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: allowed-storage-class-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: allowed-storage-class

artifacthub/library/general/storageclass/1.1.2/samples/storageclass-allowlist/example_disallowed.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: disallowed-storage-class-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: disallowed-storage-class

artifacthub/library/general/storageclass/1.1.2/samples/storageclass-allowlist/example_inventory_allowed_storageclass.yaml

@@ -0,0 +1,7 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: allowed-storage-class
+provisioner: foo
+parameters:
+allowVolumeExpansion: true

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/constraint.yaml

@@ -0,0 +1,13 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sStorageClass
+metadata:
+  name: storageclass
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["PersistentVolumeClaim"]
+      - apiGroups: ["apps"]
+        kinds: ["StatefulSet"]
+  parameters:
+    includeStorageClassesInMessage: true

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_allowed_pvc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: ok
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: somestorageclass

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_allowed_ss.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: volumeclaimstorageclass
+spec:
+  selector:
+    matchLabels:
+      app: volumeclaimstorageclass
+  serviceName: volumeclaimstorageclass
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: volumeclaimstorageclass
+    spec:
+      containers:
+      - name: main
+        image: registry.k8s.io/nginx-slim:0.8
+        volumeMounts:
+        - name: data
+          mountPath: /usr/share/nginx/html
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      storageClassName: "somestorageclass"
+      resources:
+        requests:
+          storage: 1Gi

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_disallowed_pvc_badname.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: badstorageclass
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi
+  storageClassName: badstorageclass

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_disallowed_pvc_nonamename.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nostorageclass
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 8Gi

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_disallowed_ssvct_badnamename.yaml

@@ -0,0 +1,30 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: badvolumeclaimstorageclass
+spec:
+  selector:
+    matchLabels:
+      app: badvolumeclaimstorageclass
+  serviceName: badvolumeclaimstorageclass
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: badvolumeclaimstorageclass
+    spec:
+      containers:
+      - name: main
+        image: registry.k8s.io/nginx-slim:0.8
+        volumeMounts:
+        - name: data
+          mountPath: /usr/share/nginx/html
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      storageClassName: "badstorageclass"
+      resources:
+        requests:
+          storage: 1Gi

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_disallowed_ssvct_nonamename.yaml

@@ -0,0 +1,29 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: novolumeclaimstorageclass
+spec:
+  selector:
+    matchLabels:
+      app: novolumeclaimstorageclass
+  serviceName: novolumeclaimstorageclass
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: novolumeclaimstorageclass
+    spec:
+      containers:
+      - name: main
+        image: registry.k8s.io/nginx-slim:0.8
+        volumeMounts:
+        - name: data
+          mountPath: /usr/share/nginx/html
+  volumeClaimTemplates:
+  - metadata:
+      name: data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 1Gi

artifacthub/library/general/storageclass/1.1.2/samples/storageclass/example_inventory_allowed_storageclass.yaml

@@ -0,0 +1,7 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: somestorageclass
+provisioner: foo
+parameters:
+allowVolumeExpansion: true

artifacthub/library/general/storageclass/1.1.2/suite.yaml

@@ -0,0 +1,53 @@
+kind: Suite
+apiVersion: test.gatekeeper.sh/v1alpha1
+metadata:
+  name: storageclass
+tests:
+- name: storageclass
+  template: template.yaml
+  constraint: samples/storageclass/constraint.yaml
+  cases:
+  - name: example-allowed-pvc
+    object: samples/storageclass/example_allowed_pvc.yaml
+    inventory:
+    - samples/storageclass/example_inventory_allowed_storageclass.yaml
+    assertions:
+    - violations: no
+  - name: example-allowed-ss
+    object: samples/storageclass/example_allowed_ss.yaml
+    inventory:
+    - samples/storageclass/example_inventory_allowed_storageclass.yaml
+    assertions:
+    - violations: no
+  - name: example-disallowed-pvc-badname
+    object: samples/storageclass/example_disallowed_pvc_badname.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-ssvct-badnamename
+    object: samples/storageclass/example_disallowed_ssvct_badnamename.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-pvc-nonamename
+    object: samples/storageclass/example_disallowed_pvc_nonamename.yaml
+    assertions:
+    - violations: yes
+  - name: example-disallowed-ssvct-nonamename
+    object: samples/storageclass/example_disallowed_ssvct_nonamename.yaml
+    assertions:
+    - violations: yes
+- name: storageclass-allowlist
+  template: template.yaml
+  constraint: samples/storageclass-allowlist/constraint.yaml
+  cases:
+  - name: allowed-storage-class-pvc
+    object: samples/storageclass-allowlist/example_allowed.yaml
+    inventory:
+    - samples/storageclass-allowlist/example_inventory_allowed_storageclass.yaml
+    assertions:
+    - violations: no
+  - name: disallowed-storage-class-pvc
+    object: samples/storageclass-allowlist/example_disallowed.yaml
+    inventory:
+    - samples/storageclass-allowlist/example_inventory_allowed_storageclass.yaml
+    assertions:
+    - violations: yes

artifacthub/library/general/storageclass/1.1.2/sync.yaml

@@ -0,0 +1,11 @@
+apiVersion: config.gatekeeper.sh/v1alpha1
+kind: Config
+metadata:
+  name: config
+  namespace: "gatekeeper-system"
+spec:
+  sync:
+    syncOnly:
+      - group: "storage.k8s.io"
+        version: "v1"
+        kind: "StorageClass"