Incorrect Volume Claim Access Mode ReadWriteOnce

  • Query id: 26b047a9-0329-48fd-8fb7-05bbe5ba80ee
  • Query name: Incorrect Volume Claim Access Mode ReadWriteOnce
  • Platform: Terraform
  • Severity: Medium
  • Category: Build Process
  • URL: Github


Kubernetes Stateful Sets must have one Volume Claim template with the access mode 'ReadWriteOnce'

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "kubernetes_stateful_set" "prometheus-1" {
  metadata {
    annotations = {
      SomeAnnotation = "foobar"

    labels = {
      k8s-app                           = "prometheus"
      ""   = "true"
      "" = "Reconcile"
      version                           = "v2.2.1"

    name = "prometheus"

  spec {
    pod_management_policy  = "Parallel"
    replicas               = 1
    revision_history_limit = 5

    selector {
      match_labels = {
        k8s-app = "prometheus"

    service_name = "prometheus"

    template {
      metadata {
        labels = {
          k8s-app = "prometheus"

        annotations = {}

      spec {
        service_account_name = "prometheus"

        init_container {
          name              = "init-chown-data"
          image             = "busybox:latest"
          image_pull_policy = "IfNotPresent"
          command           = ["chown", "-R", "65534:65534", "/data"]

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

        container {
          name              = "prometheus-server-configmap-reload"
          image             = "jimmidyson/configmap-reload:v0.1"
          image_pull_policy = "IfNotPresent"

          args = [

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"
            read_only  = true

          resources {
            limits = {
              cpu    = "10m"
              memory = "10Mi"

            requests = {
              cpu    = "10m"
              memory = "10Mi"

        container {
          name              = "prometheus-server"
          image             = "prom/prometheus:v2.2.1"
          image_pull_policy = "IfNotPresent"

          args = [

          port {
            container_port = 9090

          resources {
            limits = {
              cpu    = "200m"
              memory = "1000Mi"

            requests = {
              cpu    = "200m"
              memory = "1000Mi"

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

          readiness_probe {
            http_get {
              path = "/-/ready"
              port = 9090

            initial_delay_seconds = 30
            timeout_seconds       = 30

          liveness_probe {
            http_get {
              path   = "/-/healthy"
              port   = 9090
              scheme = "HTTPS"

            initial_delay_seconds = 30
            timeout_seconds       = 30

        termination_grace_period_seconds = 300

        volume {
          name = "config-volume"

          config_map {
            name = "prometheus-config"

    update_strategy {
      type = "RollingUpdate"

      rolling_update {
        partition = 1

    volume_claim_template {
      metadata {
        name = "prometheus-data-1"

      spec {
        access_modes       = ["ReadWriteOnce"]
        storage_class_name = "standard"

        resources {
          requests = {
            storage = "16Gi"

    volume_claim_template {
      metadata {
        name = "prometheus-data-2"

      spec {
        access_modes       = ["ReadWriteOnce"]
        storage_class_name = "standard"

        resources {
          requests = {
            storage = "16Gi"

resource "kubernetes_stateful_set" "prometheus-2" {
  metadata {
    annotations = {
      SomeAnnotation = "foobar"

    labels = {
      k8s-app                           = "prometheus"
      ""   = "true"
      "" = "Reconcile"
      version                           = "v2.2.1"

    name = "prometheus"

  spec {
    pod_management_policy  = "Parallel"
    replicas               = 1
    revision_history_limit = 5

    selector {
      match_labels = {
        k8s-app = "prometheus"

    service_name = "prometheus"

    template {
      metadata {
        labels = {
          k8s-app = "prometheus"

        annotations = {}

      spec {
        service_account_name = "prometheus"

        init_container {
          name              = "init-chown-data"
          image             = "busybox:latest"
          image_pull_policy = "IfNotPresent"
          command           = ["chown", "-R", "65534:65534", "/data"]

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

        container {
          name              = "prometheus-server-configmap-reload"
          image             = "jimmidyson/configmap-reload:v0.1"
          image_pull_policy = "IfNotPresent"

          args = [

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"
            read_only  = true

          resources {
            limits = {
              cpu    = "10m"
              memory = "10Mi"

            requests = {
              cpu    = "10m"
              memory = "10Mi"

        container {
          name              = "prometheus-server"
          image             = "prom/prometheus:v2.2.1"
          image_pull_policy = "IfNotPresent"

          args = [

          port {
            container_port = 9090

          resources {
            limits = {
              cpu    = "200m"
              memory = "1000Mi"

            requests = {
              cpu    = "200m"
              memory = "1000Mi"

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

          readiness_probe {
            http_get {
              path = "/-/ready"
              port = 9090

            initial_delay_seconds = 30
            timeout_seconds       = 30

          liveness_probe {
            http_get {
              path   = "/-/healthy"
              port   = 9090
              scheme = "HTTPS"

            initial_delay_seconds = 30
            timeout_seconds       = 30

        termination_grace_period_seconds = 300

        volume {
          name = "config-volume"

          config_map {
            name = "prometheus-config"

    update_strategy {
      type = "RollingUpdate"

      rolling_update {
        partition = 1

    volume_claim_template {
      metadata {
        name = "prometheus-data-1"

      spec {
        access_modes       = ["ReadWrite"]
        storage_class_name = "standard"

        resources {
          requests = {
            storage = "16Gi"

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "kubernetes_stateful_set" "prometheus" {
  metadata {
    annotations = {
      SomeAnnotation = "foobar"

    labels = {
      k8s-app                           = "prometheus"
      ""   = "true"
      "" = "Reconcile"
      version                           = "v2.2.1"

    name = "prometheus"

  spec {
    pod_management_policy  = "Parallel"
    replicas               = 1
    revision_history_limit = 5

    selector {
      match_labels = {
        k8s-app = "prometheus"

    service_name = "prometheus"

    template {
      metadata {
        labels = {
          k8s-app = "prometheus"

        annotations = {}

      spec {
        service_account_name = "prometheus"

        init_container {
          name              = "init-chown-data"
          image             = "busybox:latest"
          image_pull_policy = "IfNotPresent"
          command           = ["chown", "-R", "65534:65534", "/data"]

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

        container {
          name              = "prometheus-server-configmap-reload"
          image             = "jimmidyson/configmap-reload:v0.1"
          image_pull_policy = "IfNotPresent"

          args = [

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"
            read_only  = true

          resources {
            limits = {
              cpu    = "10m"
              memory = "10Mi"

            requests = {
              cpu    = "10m"
              memory = "10Mi"

        container {
          name              = "prometheus-server"
          image             = "prom/prometheus:v2.2.1"
          image_pull_policy = "IfNotPresent"

          args = [

          port {
            container_port = 9090

          resources {
            limits = {
              cpu    = "200m"
              memory = "1000Mi"

            requests = {
              cpu    = "200m"
              memory = "1000Mi"

          volume_mount {
            name       = "config-volume"
            mount_path = "/etc/config"

          volume_mount {
            name       = "prometheus-data"
            mount_path = "/data"
            sub_path   = ""

          readiness_probe {
            http_get {
              path = "/-/ready"
              port = 9090

            initial_delay_seconds = 30
            timeout_seconds       = 30

          liveness_probe {
            http_get {
              path   = "/-/healthy"
              port   = 9090
              scheme = "HTTPS"

            initial_delay_seconds = 30
            timeout_seconds       = 30

        termination_grace_period_seconds = 300

        volume {
          name = "config-volume"

          config_map {
            name = "prometheus-config"

    update_strategy {
      type = "RollingUpdate"

      rolling_update {
        partition = 1

    volume_claim_template {
      metadata {
        name = "prometheus-data-1"

      spec {
        access_modes       = ["ReadWriteOnce"]
        storage_class_name = "standard"

        resources {
          requests = {
            storage = "16Gi"

    volume_claim_template {
      metadata {
        name = "prometheus-data-2"

      spec {
        access_modes       = ["ReadWrite"]
        storage_class_name = "standard"

        resources {
          requests = {
            storage = "16Gi"