All Policies
Allowed Pod Priorities
A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. In certain cases where not all users in a cluster are trusted, a malicious user could create Pods at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not among them, the Pod is blocked.
Policy Definition
/other/allowed_pod_priorities.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: allowed-podpriorities
5 annotations:
6 policies.kyverno.io/title: Allowed Pod Priorities
7 policies.kyverno.io/category: Sample
8 policies.kyverno.io/minversion: 1.3.0
9 policies.kyverno.io/subject: Pod
10 policies.kyverno.io/description: >-
11 A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others.
12 In certain cases where not all users in a cluster are trusted, a malicious user could create Pods
13 at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy
14 checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable
15 PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not
16 among them, the Pod is blocked.
17spec:
18 validationFailureAction: audit
19 background: false
20 rules:
21 - name: validate-pod-priority
22 context:
23 - name: podprioritydict
24 configMap:
25 name: allowed-pod-priorities
26 namespace: default
27 match:
28 resources:
29 kinds:
30 - Deployment
31 - DaemonSet
32 - StatefulSet
33 - Job
34 validate:
35 message: >-
36 The Pod PriorityClass {{ request.object.spec.template.spec.priorityClassName }} is not in the list
37 of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data.{{request.object.metadata.namespace}} }}.
38 deny:
39 conditions:
40 - key: "{{ request.object.spec.template.spec.priorityClassName }}"
41 operator: NotIn
42 value: "{{ podprioritydict.data.{{request.object.metadata.namespace}} }}"
43 - name: validate-pod-priority-pods
44 context:
45 - name: podprioritydict
46 configMap:
47 name: allowed-pod-priorities
48 namespace: default
49 match:
50 resources:
51 kinds:
52 - Pod
53 validate:
54 message: >-
55 The Pod PriorityClass {{ request.object.spec.priorityClassName }} is not in the list
56 of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data.{{request.object.metadata.namespace}} }}.
57 deny:
58 conditions:
59 - key: "{{ request.object.spec.priorityClassName }}"
60 operator: NotIn
61 value: "{{ podprioritydict.data.{{request.object.metadata.namespace}} }}"
62 - name: validate-pod-priority-cronjob
63 context:
64 - name: podprioritydict
65 configMap:
66 name: allowed-pod-priorities
67 namespace: default
68 match:
69 resources:
70 kinds:
71 - CronJob
72 validate:
73 message: >-
74 The Pod PriorityClass {{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }} is not in the list
75 of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data.{{request.object.metadata.namespace}} }}.
76 deny:
77 conditions:
78 - key: "{{ request.object.spec.jobTemplate.spec.template.spec.priorityClassName }}"
79 operator: NotIn
80 value: "{{ podprioritydict.data.{{request.object.metadata.namespace}} }}"
81