Back to Policies

Time-Bound Policy

Sometimes a policy should be active or inactive based on a time window determined as part of the policy. Whether the policy should come into play should be dependent on that time. This policy illustrates how to time-bound any policy by using preconditions with JMESPath time filters. In this case, the policy enforces that label `foo` be required on all ConfigMaps during the hours of 8am-5pm EST (expressed in UTC). Additional, similar preconditions may be added to perform other time checks, for example a range of days.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v2beta1
kind: ClusterPolicy
metadata:
  name: time-bound-policy
  annotations:
    policies.kyverno.io/title: Time-Bound Policy
    policies.kyverno.io/category: Other
    policies.kyverno.io/minversion: 1.9.0
    kyverno.io/kyverno-version: 1.9.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: ConfigMap
    policies.kyverno.io/description: Sometimes a policy should be active or inactive based on a time window determined as part of the policy. Whether the policy should come into play should be dependent on that time. This policy illustrates how to time-bound any policy by using preconditions with JMESPath time filters. In this case, the policy enforces that label `foo` be required on all ConfigMaps during the hours of 8am-5pm EST (expressed in UTC). Additional, similar preconditions may be added to perform other time checks, for example a range of days.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: require-foo-on-configmaps
      match:
        any:
          - resources:
              kinds:
                - ConfigMap
      preconditions:
        all:
          - key: "{{ time_now_utc().time_to_cron(@).split(@,' ') | [1].to_number(@) }}"
            operator: AnyIn
            value: 13-22
      validate:
        message: The foo label must be set.
        pattern:
          metadata:
            labels:
              foo: "?*"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Require Encryption with AWS LoadBalancers

Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.

Service
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application