Back to Policies

Add Pod priorityClassName

A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. This policy adds the priorityClassName of `non-production` to any Pod controller deployed into a Namespace that does not have the label env=production.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-pod-priorityclassname
  annotations:
    policies.kyverno.io/title: Add Pod priorityClassName
    policies.kyverno.io/category: Other
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    pod-policies.kyverno.io/autogen-controllers: none
    kyverno.io/kyverno-version: 1.7.1
    policies.kyverno.io/minversion: 1.6.0
    kyverno.io/kubernetes-version: "1.23"
    policies.kyverno.io/description: A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others. This policy adds the priorityClassName of `non-production` to any Pod controller deployed into a Namespace that does not have the label env=production.
spec:
  background: false
  rules:
    - name: add-priorityclass-controllers
      match:
        any:
          - resources:
              kinds:
                - Deployment
                - DaemonSet
                - StatefulSet
                - Job
              namespaceSelector:
                matchExpressions:
                  - key: env
                    operator: NotIn
                    values:
                      - production
      mutate:
        patchesJson6902: |-
          - op: remove
            path: '/spec/template/spec/priority'
          - op: add
            path: /spec/template/spec/priorityClassName
            value: 'non-production'
    - name: add-priorityclass-cronjobs
      match:
        any:
          - resources:
              kinds:
                - CronJob
              namespaceSelector:
                matchExpressions:
                  - key: env
                    operator: NotIn
                    values:
                      - production
      mutate:
        patchesJson6902: |-
          - op: remove
            path: '/spec/jobTemplate/spec/template/spec/priority'
          - op: add
            path: /spec/jobTemplate/spec/template/spec/priorityClassName
            value: 'non-production'

Related Policies

MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

Job