Skip to content

Add Job timeout enforcement policy #1249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
karthikmanam wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Job timeout enforcement policy #1249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b96a004
Add Job timeout enforcement policy
karthikmanam Mar 5, 2025
8bcbebc
Merge branch 'main' into main
JimBugwadia Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions job-timeout-enforcer/.chainsaw-test/resources/invalid-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: batch/v1
kind: Job
metadata:
name: invalid-job-no-timeout
namespace: default
spec:
template:
spec:
containers:
- name: pi
image: perl:5.34.0
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
---
apiVersion: batch/v1
kind: Job
metadata:
name: invalid-job-too-short
namespace: default
spec:
template:
spec:
containers:
- name: pi
image: perl:5.34.0
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
activeDeadlineSeconds: 1800
14 changes: 14 additions & 0 deletions job-timeout-enforcer/.chainsaw-test/resources/valid-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: batch/v1
kind: Job
metadata:
name: valid-job
namespace: default
spec:
template:
spec:
containers:
- name: pi
image: perl:5.34.0
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
activeDeadlineSeconds: 3600
24 changes: 24 additions & 0 deletions job-timeout-enforcer/.chainsaw-test/test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: test-job-timeout-enforcer
spec:
steps:
- name: 01-apply-policy
try:
- apiVersion: kyverno.io/v1
kind: ClusterPolicy
file: job-timeout-enforcer.yaml

- name: 02-test-valid-job
try:
- file: resources/valid-job.yaml

- name: 03-test-invalid-job
try:
- file: resources/invalid-job.yaml
expect:
violation:
count: 2
match:
- message: "Jobs must specify activeDeadlineSeconds between 3600 (1 hour) and 86400 (24 hours)"
28 changes: 28 additions & 0 deletions job-timeout-enforcer/artifacthub-pkg.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
name: job-timeout-enforcer
version: 1.0.0
displayName: Enforce Job Timeouts
createdAt: "2024-03-20T00:00:00.000Z"
description: >-
Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
set with a reasonable timeout value between 1 hour and 24 hours.
install: |-
```sh
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/job-timeout-enforcer/job-timeout-enforcer.yaml
```
keywords:
- job
- timeout
- resource management
readme: |
# Enforce Job Timeouts

Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
set with a reasonable timeout value between 1 hour and 24 hours.
annotations:
kyverno/category: Resource Management
kyverno/severity: medium
kyverno/subject: Job
kyverno/kubernetesVersion: "1.23-1.28"
28 changes: 28 additions & 0 deletions job-timeout-enforcer/job-timeout-enforcer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: batch/v1
kind: Job
metadata:
name: invalid-job-no-timeout
namespace: default
spec:
template:
spec:
containers:
- name: pi
image: perl:5.34.0
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
---
apiVersion: batch/v1
kind: Job
metadata:
name: invalid-job-too-short
namespace: default
spec:
template:
spec:
containers:
- name: pi
image: perl:5.34.0
command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]
restartPolicy: Never
activeDeadlineSeconds: 1800
Loading