Add Job timeout enforcement policy

This policy ensures all Kubernetes Jobs have a reasonable timeout
set via activeDeadlineSeconds to prevent indefinitely running jobs
and resource consumption issues.

Signed-off-by: Karthik babu Manam <[email protected]>

job-timeout-enforcer/artifacthub-pkg.yaml

@@ -0,0 +1,30 @@
+name: job-timeout-enforcer
+version: 1.0.0
+displayName: Enforce Job Timeouts
+createdAt: "2024-03-19T00:00:00.000Z"
+description: >-
+  Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
+  indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
+  set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
+  resource leaks and identifies stuck Jobs early.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/resource-lifecycle/job-timeout-enforcer/job-timeout-enforcer.yaml
+  ```
+keywords:
+  - kyverno
+  - resource lifecycle
+  - job
+  - timeout
+readme: |
+  Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
+  indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
+  set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
+  resource leaks and identifies stuck Jobs early.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Resource Lifecycle"
+  kyverno/kubernetesVersion: "1.23-1.28"
+  kyverno/subject: "Job"
+digest: b247e22ba7353f3e2fcdc09cdbf158fcb5bb92bd897cefb006b781593a9fd337  # sha256sum job-timeout-enforcer.yaml

job-timeout-enforcer/job-timeout-enforcer.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: job-timeout-enforcer
+  annotations:
+    policies.kyverno.io/title: Enforce Job Timeouts
+    policies.kyverno.io/category: Resource Lifecycle
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Job
+    policies.kyverno.io/description: >-
+      Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
+      indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
+      set with a reasonable timeout value between 1 hour and 24 hours. This helps prevent
+      resource leaks and identifies stuck Jobs early.
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/minversion: 1.6.0
+    kyverno.io/kubernetes-version: "1.23-1.28"
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+    - name: validate-job-timeout
+      match:
+        any:
+        - resources:
+            kinds:
+              - Job
+      validate:
+        message: "Jobs must specify activeDeadlineSeconds between 3600 (1 hour) and 86400 (24 hours)"
+        pattern:
+          spec:
+            activeDeadlineSeconds: ">= 3600 && <= 86400"

job-timeout-enforcer/test.yaml

@@ -0,0 +1,45 @@
+# Valid job
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: valid-job
+spec:
+  activeDeadlineSeconds: 7200  # 2 hours
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+
+---
+# Invalid job (no timeout)
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-no-timeout
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+
+---
+# Invalid job (timeout too long)
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-long-timeout
+spec:
+  activeDeadlineSeconds: 100000
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never