Restrict runtimeClass

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restrict-runtimeclass
 5  annotations:
 6    policies.kyverno.io/title: Restrict runtimeClass
 7    policies.kyverno.io/category: PSP Migration
 8    policies.kyverno.io/subject: Pod
 9    kyverno.io/kyverno-version: 1.10.0
10    kyverno.io/kubernetes-version: "1.24"
11    pod-policies.kyverno.io/autogen-controllers: none
12    policies.kyverno.io/description: >-
13      The runtimeClass field of a Pod spec defines which container engine runtime should be used.
14      In the previous Pod Security Policy controller, defining restrictions on which classes were allowed
15      was permitted. Limiting runtime classes to only those which have been defined can prevent
16      unintended running states or Pods which may not come online. This policy restricts the runtimeClass
17      field to the values `prodclass` or `expclass`.
18spec:
19  validationFailureAction: Enforce
20  background: false
21  rules:
22  - name: prodclass-or-expclass
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    preconditions:
29      all:
30      - key: "{{request.operation || 'BACKGROUND'}}"
31        operator: Equals
32        value: CREATE
33    validate:
34      message: Only the runtime classes prodclass or expclass may be used.
35      pattern:
36        =(spec):
37          =(runtimeClassName): "prodclass | expclass"