Enforce pod duration in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: pod-lifetime
 5  annotations:
 6    policies.kyverno.io/title: Enforce pod duration in CEL expressions
 7    policies.kyverno.io/category: Sample in CEL 
 8    policies.kyverno.io/minversion: 1.11.0
 9    kyverno.io/kubernetes-version: "1.26-1.27"
10    policies.kyverno.io/subject: Pod
11    policies.kyverno.io/description: >-
12      This validation is valuable when annotations are used to define durations,
13      such as to ensure a Pod lifetime annotation does not exceed some site specific max threshold.
14      Pod lifetime annotation can be no greater than 8 hours.
15spec:
16  validationFailureAction: Audit
17  background: true
18  rules:
19  - name: pods-lifetime
20    match:
21      any:
22      - resources:
23          kinds:
24          - Pod
25          operations:
26          - CREATE
27          - UPDATE
28    validate:
29      cel:
30        variables:
31          - name: hasLifetimeAnnotation
32            expression: "object.metadata.?annotations[?'pod.kubernetes.io/lifetime'].hasValue()"
33          - name: lifetimeAnnotationValue
34            expression: "variables.hasLifetimeAnnotation ? object.metadata.annotations['pod.kubernetes.io/lifetime'] : '0s'"
35        expressions:
36          - expression: "!(duration(variables.lifetimeAnnotationValue) > duration('8h'))"
37            message: "Pod lifetime exceeds limit of 8h"