Policy: set-runonce-activedeadlineseconds
Set activeDeadlineSeconds
for run-once pods.
Category |
Resource Quota |
Minimum Kyverno version |
v1 |
Subject |
APPUiO Organizations |
Policy types |
|
Implementation |
This policy ensures that all "runonce" pods have .spec.activeDeadlineSeconds
set.
The value for .spec.activeDeadlineSeconds
for a namepsace can be overridden by adding annotation appuio.io/active-deadline-seconds-override
with the desired default value on a namespace.
Pods can be excluded from the policy by configuring label match expressions in component parameter runOnceActiveDeadlineSeconds.podMatchExpressions
.
Policy Definition
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
pod-policies.kyverno.io/autogen-controllers: none
policies.kyverno.io/category: Resource Quota
policies.kyverno.io/description: |
This policy ensures that all "runonce" pods have `.spec.activeDeadlineSeconds` set.
The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden by adding annotation `appuio.io/active-deadline-seconds-override` with the desired default value on a namespace.
Pods can be excluded from the policy by configuring label match expressions in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`].
policies.kyverno.io/jsonnet: component/runonce-activedeadlineseconds.jsonnet
policies.kyverno.io/minversion: v1
policies.kyverno.io/subject: APPUiO Organizations
policies.kyverno.io/title: Set `activeDeadlineSeconds` for run-once pods.
labels:
app.kubernetes.io/component: appuio-cloud
app.kubernetes.io/managed-by: commodore
app.kubernetes.io/name: appuio-cloud
name: set-runonce-activedeadlineseconds
name: set-runonce-activedeadlineseconds
spec:
background: false
rules:
- context:
- apiCall:
jmesPath: 'to_number(merge(`{"appuio.io/active-deadline-seconds-override":
1800}`, metadata.annotations || `{}`)."appuio.io/active-deadline-seconds-override"
) || `1800`'
urlPath: /api/v1/namespaces/{{request.namespace}}
name: activeDeadlineSeconds
match:
resources:
kinds:
- Pod
selector:
matchExpressions:
- key: acme.cert-manager.io/http01-solver
operator: DoesNotExist
mutate:
patchStrategicMerge:
spec:
(restartPolicy): Never|OnFailure
+(activeDeadlineSeconds): '{{activeDeadlineSeconds}}'
name: set-runonce-activedeadlineseconds
validationFailureAction: enforce