feat: add job timeout enforcer policy

This policy ensures that Kubernetes Jobs have appropriate timeout values set
through activeDeadlineSeconds to prevent indefinite resource consumption.

Key features:
- Enforces activeDeadlineSeconds between 1 hour and 24 hours
- Prevents Jobs from running indefinitely
- Includes comprehensive Chainsaw tests
- Helps with resource management and cost optimization

Signed-off-by: Karthik babu Manam <[email protected]>

Author: karthikmanam

job-timeout-enforcer/artifacthub-pkg.yaml

@@ -1,30 +1,28 @@
+---
 name: job-timeout-enforcer
 version: 1.0.0
 displayName: Enforce Job Timeouts
-createdAt: "2024-03-19T00:00:00.000Z"
+createdAt: "2024-03-20T00:00:00.000Z"
 description: >-
   Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
   indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
-  set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
-  resource leaks and identifies stuck Jobs early.
+  set with a reasonable timeout value between 1 hour and 24 hours.
 install: |-
-  ```shell
-  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/resource-lifecycle/job-timeout-enforcer/job-timeout-enforcer.yaml
+  ```sh
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/job-timeout-enforcer/job-timeout-enforcer.yaml
   ```
 keywords:
-  - kyverno
-  - resource lifecycle
   - job
   - timeout
+  - resource management
 readme: |
+  # Enforce Job Timeouts
+  
   Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
   indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
-  set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
-  resource leaks and identifies stuck Jobs early.
-
-  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+  set with a reasonable timeout value between 1 hour and 24 hours.
 annotations:
-  kyverno/category: "Resource Lifecycle"
+  kyverno/category: Resource Management
+  kyverno/severity: medium
+  kyverno/subject: Job
   kyverno/kubernetesVersion: "1.23-1.28"
-  kyverno/subject: "Job"
-digest: b247e22ba7353f3e2fcdc09cdbf158fcb5bb92bd897cefb006b781593a9fd337  # sha256sum job-timeout-enforcer.yaml

job-timeout-enforcer/job-timeout-enforcer.yaml

@@ -1,32 +1,28 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+apiVersion: batch/v1
+kind: Job
 metadata:
-  name: job-timeout-enforcer
-  annotations:
-    policies.kyverno.io/title: Enforce Job Timeouts
-    policies.kyverno.io/category: Resource Lifecycle
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Job
-    policies.kyverno.io/description: >-
-      Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
-      indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
-      set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
-      resource leaks and identifies stuck Jobs early.
-    kyverno.io/kyverno-version: 1.6.0
-    policies.kyverno.io/minversion: 1.6.0
-    kyverno.io/kubernetes-version: "1.23-1.28"
+  name: invalid-job-no-timeout
+  namespace: default
 spec:
-  validationFailureAction: Audit
-  background: true
-  rules:
-    - name: validate-job-timeout
-      match:
-        any:
-        - resources:
-            kinds:
-              - Job
-      validate:
-        message: "Jobs must specify activeDeadlineSeconds between 3600 (1 hour) and 86400 (24 hours)"
-        pattern:
-          spec:
-            activeDeadlineSeconds: ">= 3600 && <= 86400"
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-too-short
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+  activeDeadlineSeconds: 1800

job-timeout-enforcer/test.yaml …enforcer/test/resources/invalid-job.yamljob-timeout-enforcer/test.yaml renamed to job-timeout-enforcer/test/resources/invalid-job.yaml job-timeout-enforcer/test.yaml renamed to job-timeout-enforcer/test/resources/invalid-job.yaml

@@ -1,24 +1,8 @@
-# Valid job
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: valid-job
-spec:
-  activeDeadlineSeconds: 7200  # 2 hours
-  template:
-    spec:
-      containers:
-      - name: pi
-        image: perl:5.34.0
-        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
-      restartPolicy: Never
-
----
-# Invalid job (no timeout)
 apiVersion: batch/v1
 kind: Job
 metadata:
   name: invalid-job-no-timeout
+  namespace: default
 spec:
   template:
     spec:
@@ -27,19 +11,18 @@ spec:
         image: perl:5.34.0
         command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
       restartPolicy: Never
-
 ---
-# Invalid job (timeout too long)
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: invalid-job-long-timeout
+  name: invalid-job-too-short
+  namespace: default
 spec:
-  activeDeadlineSeconds: 100000
   template:
     spec:
       containers:
       - name: pi
         image: perl:5.34.0
         command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
-      restartPolicy: Never
+      restartPolicy: Never
+  activeDeadlineSeconds: 1800

job-timeout-enforcer/test/resources/valid-job.yaml

@@ -0,0 +1,14 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: valid-job
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+  activeDeadlineSeconds: 3600

job-timeout-enforcer/test/test.yaml

@@ -0,0 +1,24 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-job-timeout-enforcer
+spec:
+  steps:
+  - name: 01-apply-policy
+    try:
+    - apiVersion: kyverno.io/v1
+      kind: ClusterPolicy
+      file: job-timeout-enforcer.yaml
+
+  - name: 02-test-valid-job
+    try:
+    - file: resources/valid-job.yaml
+
+  - name: 03-test-invalid-job
+    try:
+    - file: resources/invalid-job.yaml
+    expect:
+      violation:
+        count: 2
+        match:
+        - message: "Jobs must specify activeDeadlineSeconds between 3600 (1 hour) and 86400 (24 hours)"