Policy: `set-runonce-activedeadlineseconds`

Set activeDeadlineSeconds for run-once pods.

Category	Resource Quota
Minimum Kyverno version	v1
Subject	APPUiO Organizations
Policy types	`mutate`
Implementation	component/runonce-activedeadlineseconds.jsonnet

This policy ensures that all "runonce" pods have .spec.activeDeadlineSeconds set.

The value for .spec.activeDeadlineSeconds for a namepsace can be overridden by adding annotation appuio.io/active-deadline-seconds-override with the desired default value on a namespace.

Pods can be excluded from the policy by configuring label match expressions in component parameter runOnceActiveDeadlineSeconds.podMatchExpressions.

Policy Definition

/tests/golden/defaults/appuio-cloud/appuio-cloud/30_set_runonce_activedeadlineseconds.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/category: Resource Quota
    policies.kyverno.io/description: |
      This policy ensures that all "runonce" pods have `.spec.activeDeadlineSeconds` set.

      The value for `.spec.activeDeadlineSeconds` for a namepsace can be overridden by adding annotation `appuio.io/active-deadline-seconds-override` with the desired default value on a namespace.

      Pods can be excluded from the policy by configuring label match expressions in xref:references/parameters.adoc#_runonceactivedeadlineseconds_podmatchexpressions[component parameter `runOnceActiveDeadlineSeconds.podMatchExpressions`].
    policies.kyverno.io/jsonnet: component/runonce-activedeadlineseconds.jsonnet
    policies.kyverno.io/minversion: v1
    policies.kyverno.io/subject: APPUiO Organizations
    policies.kyverno.io/title: Set `activeDeadlineSeconds` for run-once pods.
  labels:
    app.kubernetes.io/component: appuio-cloud
    app.kubernetes.io/managed-by: commodore
    app.kubernetes.io/name: appuio-cloud
    name: set-runonce-activedeadlineseconds
  name: set-runonce-activedeadlineseconds
spec:
  background: false
  rules:
    - context:
        - apiCall:
            jmesPath: 'to_number(merge(`{"appuio.io/active-deadline-seconds-override":
              1800}`, metadata.annotations || `{}`)."appuio.io/active-deadline-seconds-override"
              ) || `1800`'
            urlPath: /api/v1/namespaces/{{request.namespace}}
          name: activeDeadlineSeconds
      match:
        resources:
          kinds:
            - Pod
          selector:
            matchExpressions:
              - key: acme.cert-manager.io/http01-solver
                operator: DoesNotExist
      mutate:
        patchStrategicMerge:
          spec:
            (restartPolicy): Never|OnFailure
            +(activeDeadlineSeconds): '{{activeDeadlineSeconds}}'
      name: set-runonce-activedeadlineseconds
  validationFailureAction: enforce