Check NVIDIA GPUs

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-nvidia-gpus
 5  annotations:
 6    policies.kyverno.io/title: Check NVIDIA GPUs
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.6.0
10    policies.kyverno.io/minversion: 1.6.0
11    kyverno.io/kubernetes-version: "1.23"
12    policies.kyverno.io/subject: Pod
13    policies.kyverno.io/description: >-
14      Containers which request use of an NVIDIA GPU often need to
15      be authored to consume them via a CUDA environment variable called
16      NVIDIA_VISIBLE_DEVICES. This policy checks the containers which
17      request a GPU to ensure they have been authored with this environment
18      variable.
19spec:
20  validationFailureAction: Audit
21  rules:
22  - name: check-nvidia-gpus
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: NotEquals
32        value: DELETE
33    validate:
34      message: "Images which reserve NVIDIA GPUs must be built to use them."
35      foreach:
36      - list: "request.object.spec.containers"
37        context: 
38        - name: imageData
39          imageRegistry: 
40            reference: "{{ element.image }}"
41        deny:
42          conditions:
43            all:
44              # If a container image calls for an NVIDIA GPU in its resources.limits, it must also
45              # have been built with the CUDA environment variable `NVIDIA_VISIBLE_DEVICES`.
46              - key: "NVIDIA_VISIBLE_DEVICES=*?"
47                operator: AnyNotIn
48                value: "{{ imageData.configData.config.Env || '' }}"
49              - key: "{{ element.resources.limits.\"nvidia.com/gpu\" || '' }}"
50                operator: GreaterThan
51                value: 0