Allowed Pod Priorities

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: allowed-podpriorities
 5  annotations:
 6    policies.kyverno.io/title: Allowed Pod Priorities
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.6.0
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      A Pod PriorityClass is used to provide a guarantee on the scheduling of a Pod relative to others.
12      In certain cases where not all users in a cluster are trusted, a malicious user could create Pods
13      at the highest possible priorities, causing other Pods to be evicted/not get scheduled. This policy
14      checks the defined `priorityClassName` in a Pod spec to a dictionary of allowable
15      PriorityClasses for the given Namespace stored in a ConfigMap. If the `priorityClassName` is not
16      among them, the Pod is blocked.
17spec:
18  validationFailureAction: Audit
19  background: true
20  rules:
21  - name: validate-pod-priority
22    context:
23      - name: podprioritydict
24        configMap:
25          name: allowed-pod-priorities
26          namespace: default
27    match:
28      any:
29      - resources:
30          kinds:
31          - Pod
32    validate:
33      message: >-
34        The Pod PriorityClass {{ request.object.spec.priorityClassName }} is not in the list
35        of the following PriorityClasses allowed in this Namespace: {{ podprioritydict.data."{{request.namespace}}" }}.
36      deny:
37        conditions:
38          any:
39          - key: "{{ request.object.spec.priorityClassName || '' }}"
40            operator: AnyNotIn
41            value:  '{{ podprioritydict.data."{{request.namespace}}" || "" }}'