Add Job timeout enforcement policy

This policy ensures all Kubernetes Jobs have a reasonable timeout
set via activeDeadlineSeconds to prevent indefinitely running jobs
and resource consumption issues.

Key features:
- Enforces activeDeadlineSeconds between 1 hour and 24 hours
- Prevents Jobs from running indefinitely
- Includes comprehensive Chainsaw tests
- Helps with resource management and cost optimization

Signed-off-by: Karthik babu Manam <[email protected]>

job-timeout-enforcer/.chainsaw-test/resources/invalid-job.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-no-timeout
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-too-short
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+  activeDeadlineSeconds: 1800

job-timeout-enforcer/.chainsaw-test/resources/valid-job.yaml

@@ -0,0 +1,14 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: valid-job
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+  activeDeadlineSeconds: 3600

job-timeout-enforcer/.chainsaw-test/test.yaml

@@ -0,0 +1,24 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-job-timeout-enforcer
+spec:
+  steps:
+  - name: 01-apply-policy
+    try:
+    - apiVersion: kyverno.io/v1
+      kind: ClusterPolicy
+      file: job-timeout-enforcer.yaml
+
+  - name: 02-test-valid-job
+    try:
+    - file: resources/valid-job.yaml
+
+  - name: 03-test-invalid-job
+    try:
+    - file: resources/invalid-job.yaml
+    expect:
+      violation:
+        count: 2
+        match:
+        - message: "Jobs must specify activeDeadlineSeconds between 3600 (1 hour) and 86400 (24 hours)"

job-timeout-enforcer/artifacthub-pkg.yaml

@@ -0,0 +1,28 @@
+---
+name: job-timeout-enforcer
+version: 1.0.0
+displayName: Enforce Job Timeouts
+createdAt: "2024-03-20T00:00:00.000Z"
+description: >-
+  Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
+  indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
+  set with a reasonable timeout value between 1 hour and 24 hours.
+install: |-
+  ```sh
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/job-timeout-enforcer/job-timeout-enforcer.yaml
+  ```
+keywords:
+  - job
+  - timeout
+  - resource management
+readme: |
+  # Enforce Job Timeouts
+  
+  Jobs without timeouts can run indefinitely, consuming cluster resources and potentially
+  indicating stuck workloads. This policy ensures all Jobs have an activeDeadlineSeconds
+  set with a reasonable timeout value between 1 hour and 24 hours.
+annotations:
+  kyverno/category: Resource Management
+  kyverno/severity: medium
+  kyverno/subject: Job
+  kyverno/kubernetesVersion: "1.23-1.28"

job-timeout-enforcer/job-timeout-enforcer.yaml

@@ -0,0 +1,28 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-no-timeout
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: invalid-job-too-short
+  namespace: default
+spec:
+  template:
+    spec:
+      containers:
+      - name: pi
+        image: perl:5.34.0
+        command: ["perl",  "-Mbignum=bpi", "-wle", "print bpi(2000)"]
+      restartPolicy: Never
+  activeDeadlineSeconds: 1800