Restrict StorageClass in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-storageclass
 5  annotations:
 6    policies.kyverno.io/title: Restrict StorageClass in CEL expressions
 7    policies.kyverno.io/category: Other, Multi-Tenancy in CEL 
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: StorageClass
10    kyverno.io/kyverno-version: 1.11.0
11    kyverno.io/kubernetes-version: "1.26-1.27"
12    policies.kyverno.io/description: >-
13      StorageClasses allow description of custom "classes" of storage offered
14      by the cluster, based on quality-of-service levels, backup policies, or
15      custom policies determined by the cluster administrators. For shared StorageClasses
16      in a multi-tenancy environment, a reclaimPolicy of `Delete` should be used to ensure
17      a PersistentVolume cannot be reused across Namespaces. This policy requires
18      StorageClasses set a reclaimPolicy of `Delete`.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: storageclass-delete
24    match:
25      any:
26      - resources:
27          kinds:
28          - StorageClass
29          operations:
30          - CREATE
31          - UPDATE
32    validate:
33      cel:
34        expressions:
35          - expression: "object.reclaimPolicy == 'Delete'"
36            message: "StorageClass must define a reclaimPolicy of Delete."