Containers which request use of an NVIDIA GPU often need to be authored to consume them via a CUDA environment variable called NVIDIA_VISIBLE_DEVICES. This policy checks the containers which request a GPU to ensure they have been authored with this environment variable.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: check-nvidia-gpusannotations:policies.kyverno.io/title: Check NVIDIA GPUspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.6.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Containers which request use of an NVIDIA GPU often need to be authored to consume them via a CUDA environment variable called NVIDIA_VISIBLE_DEVICES. This policy checks the containers which request a GPU to ensure they have been authored with this environment variable.spec:validationFailureAction: Auditrules:- name: check-nvidia-gpusmatch:any:- resources:kinds:- Podpreconditions:all:- key: "{{request.operation || 'BACKGROUND'}}"operator: NotEqualsvalue: DELETEvalidate:message: Images which reserve NVIDIA GPUs must be built to use them.foreach:- list: request.object.spec.containerscontext:- name: imageDataimageRegistry:reference: "{{ element.image }}"deny:conditions:all:- key: NVIDIA_VISIBLE_DEVICES=*?operator: AnyNotInvalue: "{{ imageData.configData.config.Env || '' }}"- key: "{{ element.resources.limits.\"nvidia.com/gpu\" || '' }}"operator: GreaterThanvalue: 0
This policy performs some best practices validation on Application fields. Path or chart must be specified but never both. And destination.name or destination.server must be specified but never both.
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.