Skip to content

kubewarden/priority-class-policy

BranchesTags

Repository files navigation

priority-class-policy

Kubernetes allows users to define PriorityClasses for their pods. This helps the control plane properly schedule workloads based on their priorities and determine which pods should be preempted to ensure critical workloads are always scheduled. However, users can misuse the available PriorityClasses by setting improper classes.

To avoid this kind of situation, this policy ensures that the priorityClassName defined in a pod is only one of the expected ones. Therefore, cluster administrators can use this policy to enforce a set of allowed PriorityClass names, rejecting deployments if users try to create a Pod with an unexpected priorityClassName.

This policy can inspect Pod resources, but can also operate against "higher-order" Kubernetes resources like Deployment, ReplicaSet, DaemonSet, ReplicationController, Job, and CronJob.

Settings

This policy setting is simply a list of the PriorityClass names that users can use in the Pod's priorityClassName field. The user must provide a list of priority classes names when deploying the policy

Here's an example of the settings:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: Resource validation
    io.kubewarden.policy.severity: medium
  name: priority-class-policy
spec:
  module: ghcr.io/kubewarden/policies/priority-class-policy:latest
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    allowed_priority_classes:
      - low-priority
      - med-priority
      - high-priority

With the above configuration, any Pod that defines a priorityClassName that is not present in the list will be rejected. If the priorityClassName is not defined, the resource will be accepted.

Furthermore, the cluster operator can use this policy to enforce specific classes based on namespace or object selectors. For example, to apply the policy to specific namespaces, the namespaceSelector can be used:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  annotations:
    io.kubewarden.policy.category: Resource validation
    io.kubewarden.policy.severity: medium
  name: priority-class-policy
spec:
  module: ghcr.io/kubewarden/policies/priority-class-policy:latest
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: In
        values: [team1, team2]
  settings:
    allowed_priority_classes:
      - low-priority
      - med-priority
      - high-priority

In the previous example, the same priorityClassName configuration validation will be applied to Pods only deployed in the team1 and team2 namespaces.

About

Validates Pod's priority class

kubewarden.io

Topics

kubernetes webassembly hacktoberfest policy-as-code kubernetes-security kubewarden-policy

Resources

Readme

License

Apache-2.0 license

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

7 watching

Forks

3 forks
Report repository

Releases 5

v1.0.4 Latest
Jul 14, 2025
+ 4 releases

Packages

 
 
 

Contributors 6

Languages