forked from open-cluster-management-io/policy-collection
-
Notifications
You must be signed in to change notification settings - Fork 31
/
policy-kyverno-container-tgps.yaml
53 lines (53 loc) · 2.37 KB
/
policy-kyverno-container-tgps.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: policy-kyverno-container-tgps
annotations:
policy.open-cluster-management.io/standards: NIST SP 800-53
policy.open-cluster-management.io/categories: CM Configuration Management
policy.open-cluster-management.io/controls: CM-2 Baseline Configuration
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: policy-kyverno-container-tgps
spec:
remediationAction: inform # will be overridden by remediationAction in parent policy
severity: low
object-templates:
- complianceType: musthave
objectDefinition:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mutate-termination-grace-period-seconds
annotations:
policies.kyverno.io/title: Mutate termination Grace Periods Seconds
policies.kyverno.io/category: Sample
policies.kyverno.io/severity: medium
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
Pods with large terminationGracePeriodSeconds (tGPS) might prevent cluster nodes
from getting drained, ultimately making the whole cluster unstable. This policy
mutates all incoming Pods to set their tGPS under 50s. If the user creates a pod
without specifying tGPS, then the Kubernetes default of 30s is maintained.
spec:
background: false
rules:
- name: termination-grace-period-seconds
match:
resources:
kinds:
- Pod
preconditions:
- key: "{{`{request.object.spec.terminationGracePeriodSeconds}}`}}"
operator: GreaterThan
value: 50 # maximum tGPS allowed by admin
mutate:
patchStrategicMerge:
spec:
terminationGracePeriodSeconds: 50