--- title: StatefulSet requests storage description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > StatefulSet requests storage --- # StatefulSet requests storage {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `fcc2612a-1dfe-46e4-8ce6-0320959f0040` **Cloud Provider:** Kubernetes **Platform:** Terraform **Severity:** Low **Category:** Build Process #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/stateful_set#volume_claim_template) ### Description{% #description %} A `kubernetes_stateful_set` can declare a PersistentVolumeClaim template to request storage. The `spec.volume_claim_template.spec.resources.requests.storage` field should not be set; if present it is flagged. When flagged, the rule records `documentId`, `resourceType`, `resourceName`, and `searchKey`, and reports an `IncorrectValue` using `keyActualValue` and `keyExpectedValue`. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "kubernetes_stateful_set" "prometheus" { metadata { annotations = { SomeAnnotation = "foobar" } labels = { k8s-app = "prometheus" "kubernetes.io/cluster-service" = "true" "addonmanager.kubernetes.io/mode" = "Reconcile" version = "v2.2.1" } name = "prometheus" } spec { pod_management_policy = "Parallel" replicas = 1 revision_history_limit = 5 selector { match_labels = { k8s-app = "prometheus" } } service_name = "prometheus" template { metadata { labels = { k8s-app = "prometheus" } annotations = {} } spec { service_account_name = "prometheus" init_container { name = "init-chown-data" image = "busybox:latest" image_pull_policy = "IfNotPresent" command = ["chown", "-R", "65534:65534", "/data"] volume_mount { name = "prometheus-data" mount_path = "/data" sub_path = "" } } container { name = "prometheus-server-configmap-reload" image = "jimmidyson/configmap-reload:v0.1" image_pull_policy = "IfNotPresent" args = [ "--volume-dir=/etc/config", "--webhook-url=http://localhost:9090/-/reload", ] volume_mount { name = "config-volume" mount_path = "/etc/config" read_only = true } resources { limits = { cpu = "10m" memory = "10Mi" } requests = { cpu = "10m" memory = "10Mi" } } } container { name = "prometheus-server" image = "prom/prometheus:v2.2.1" image_pull_policy = "IfNotPresent" args = [ "--config.file=/etc/config/prometheus.yml", "--storage.tsdb.path=/data", "--web.console.libraries=/etc/prometheus/console_libraries", "--web.console.templates=/etc/prometheus/consoles", "--web.enable-lifecycle", ] port { container_port = 9090 } resources { limits = { cpu = "200m" memory = "1000Mi" } requests = { cpu = "200m" memory = "1000Mi" } } volume_mount { name = "config-volume" mount_path = "/etc/config" } volume_mount { name = "prometheus-data" mount_path = "/data" sub_path = "" } readiness_probe { http_get { path = "/-/ready" port = 9090 } initial_delay_seconds = 30 timeout_seconds = 30 } liveness_probe { http_get { path = "/-/healthy" port = 9090 scheme = "HTTPS" } initial_delay_seconds = 30 timeout_seconds = 30 } } termination_grace_period_seconds = 300 volume { name = "config-volume" config_map { name = "prometheus-config" } } } } update_strategy { type = "RollingUpdate" rolling_update { partition = 1 } } volume_claim_template { metadata { name = "prometheus-data" } spec { access_modes = ["ReadWriteOnce"] storage_class_name = "standard" resources { requests = { cpu = "10m" } } } } } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "kubernetes_stateful_set" "prometheus" { metadata { annotations = { SomeAnnotation = "foobar" } labels = { k8s-app = "prometheus" "kubernetes.io/cluster-service" = "true" "addonmanager.kubernetes.io/mode" = "Reconcile" version = "v2.2.1" } name = "prometheus" } spec { pod_management_policy = "Parallel" replicas = 1 revision_history_limit = 5 selector { match_labels = { k8s-app = "prometheus" } } service_name = "prometheus" template { metadata { labels = { k8s-app = "prometheus" } annotations = {} } spec { service_account_name = "prometheus" init_container { name = "init-chown-data" image = "busybox:latest" image_pull_policy = "IfNotPresent" command = ["chown", "-R", "65534:65534", "/data"] volume_mount { name = "prometheus-data" mount_path = "/data" sub_path = "" } } container { name = "prometheus-server-configmap-reload" image = "jimmidyson/configmap-reload:v0.1" image_pull_policy = "IfNotPresent" args = [ "--volume-dir=/etc/config", "--webhook-url=http://localhost:9090/-/reload", ] volume_mount { name = "config-volume" mount_path = "/etc/config" read_only = true } resources { limits = { cpu = "10m" memory = "10Mi" } requests = { cpu = "10m" memory = "10Mi" } } } container { name = "prometheus-server" image = "prom/prometheus:v2.2.1" image_pull_policy = "IfNotPresent" args = [ "--config.file=/etc/config/prometheus.yml", "--storage.tsdb.path=/data", "--web.console.libraries=/etc/prometheus/console_libraries", "--web.console.templates=/etc/prometheus/consoles", "--web.enable-lifecycle", ] port { container_port = 9090 } resources { limits = { cpu = "200m" memory = "1000Mi" } requests = { cpu = "200m" memory = "1000Mi" } } volume_mount { name = "config-volume" mount_path = "/etc/config" } volume_mount { name = "prometheus-data" mount_path = "/data" sub_path = "" } readiness_probe { http_get { path = "/-/ready" port = 9090 } initial_delay_seconds = 30 timeout_seconds = 30 } liveness_probe { http_get { path = "/-/healthy" port = 9090 scheme = "HTTPS" } initial_delay_seconds = 30 timeout_seconds = 30 } } termination_grace_period_seconds = 300 volume { name = "config-volume" config_map { name = "prometheus-config" } } } } update_strategy { type = "RollingUpdate" rolling_update { partition = 1 } } volume_claim_template { metadata { name = "prometheus-data" } spec { access_modes = ["ReadWriteOnce"] storage_class_name = "standard" resources { requests = { storage = "16Gi" } } } } } } ```