For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/kubernetes-incorrect-volume-claim-access-mode-read-write-once.md.
A documentation index is available at /llms.txt.
Kubernetes StatefulSets must include exactly one volume claim template with the access mode ReadWriteOnce. The rule flags StatefulSets that either do not include any spec.volumeClaimTemplates with accessModes containing ReadWriteOnce (issue type: MissingAttribute) or include more than one such template (issue type: IncorrectValue). The check inspects each entry in spec.volumeClaimTemplates[].spec.accessModes to determine the presence of ReadWriteOnce.
Compliant Code Examples
#this code is a correct code for which the query should not find any resultapiVersion:apps/v1kind:StatefulSetmetadata:name:webspec:selector:matchLabels:app:nginx# has to match .spec.template.metadata.labelsserviceName:"nginx"replicas:3# by default is 1template:metadata:labels:app:nginx# has to match .spec.selector.matchLabelsspec:terminationGracePeriodSeconds:10containers:- name:nginximage:k8s.gcr.io/nginx-slim:0.8ports:- containerPort:80name:webvolumeMounts:- name:wwwmountPath:/usr/share/nginx/htmlvolumeClaimTemplates:- metadata:name:wwwspec:accessModes:["ReadWriteOnce"]storageClassName:"my-storage-class"resources:requests:storage:1Gi
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)apiVersion:apps/v1kind:StatefulSetmetadata:name:webspec:selector:matchLabels:app:nginx# has to match .spec.template.metadata.labelsserviceName:"nginx"replicas:3# by default is 1template:metadata:labels:app:nginx# has to match .spec.selector.matchLabelsspec:terminationGracePeriodSeconds:10containers:- name:nginximage:k8s.gcr.io/nginx-slim:0.8ports:- containerPort:80name:webvolumeMounts:- name:wwwmountPath:/usr/share/nginx/htmlvolumeClaimTemplates:- metadata:name:wwwspec:accessModes:["ReadWriteOnce"]storageClassName:"my-storage-class"resources:requests:storage:1Gi- metadata:name:aaaspec:accessModes:["ReadWriteOnce"]storageClassName:"my-storage-class"resources:requests:storage:1Gi---apiVersion:apps/v1kind:StatefulSetmetadata:name:web2spec:selector:matchLabels:app:nginx# has to match .spec.template.metadata.labelsserviceName:"nginx"replicas:3# by default is 1template:metadata:labels:app:nginx# has to match .spec.selector.matchLabelsspec:terminationGracePeriodSeconds:10containers:- name:nginximage:k8s.gcr.io/nginx-slim:0.8ports:- containerPort:80name:webvolumeMounts:- name:wwwmountPath:/usr/share/nginx/htmlvolumeClaimTemplates:- metadata:name:wwwspec:accessModes:["ReadWrite"]storageClassName:"my-storage-class"resources:requests:storage:1Gi- metadata:name:aaaspec:accessModes:["ReadWrite"]storageClassName:"my-storage-class"resources:requests:storage:1Gi
1
2
rulesets:- Kubernetes # Rules to enforce .
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
