Expiration for PolicyExceptions

 1apiVersion: kyverno.io/v2beta1
 2kind: ClusterPolicy
 3metadata:
 4  name: expiration-for-policyexceptions
 5  annotations:
 6    policies.kyverno.io/title: Expiration for PolicyExceptions
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: PolicyException
10    kyverno.io/kyverno-version: 1.9.0
11    policies.kyverno.io/minversion: 1.9.0
12    kyverno.io/kubernetes-version: "1.24"
13    policies.kyverno.io/description: >-
14      In situations where Ops/Platform teams want to allow exceptions on a
15      temporary basis, there must be a way to remove the PolicyException once the
16      expiration time has been reached. After the exception is removed, the rule(s)
17      for which the exception is granted go back into full effect. This policy generates
18      a ClusterCleanupPolicy with a four hour expiration time after which the PolicyException
19      is deleted. It may be necessary to grant both the Kyverno as well as cleanup controller
20      ServiceAccounts additional permissions to operate this policy.
21spec:
22  rules:
23  - name: expire-four-hours
24    match:
25      any:
26      - resources:
27          kinds:
28          - PolicyException
29    generate:
30      apiVersion: kyverno.io/v2beta1
31      kind: ClusterCleanupPolicy
32      name: polex-{{ request.namespace }}-{{ request.object.metadata.name }}-{{ random('[0-9a-z]{8}') }}
33      synchronize: false
34      data:
35        metadata:
36          labels:
37            kyverno.io/automated: "true"
38        spec:
39          schedule: "{{ time_add('{{ time_now_utc() }}','4h') | time_to_cron(@) }}"
40          match:
41            any:
42            - resources:
43                kinds:
44                  - PolicyException
45                namespaces:
46                - "{{ request.namespace }}"
47                names:
48                - "{{ request.object.metadata.name }}"