'Limit Priority Class consumption in Kubernetes/AKS
What options are available to me if I want to restrict the usage of Priorty Classes, if I'm running a managed Kubernetes service (AKS)?
The use-case here is that, I am as cluster admin want to restrict the usage of these. So that developers are not using those that are supposed to be used by critical components.
Multi-tenant cluster, semi 0-trust policy. This is something that could be "abused".
Is this something I can achieve with resource quotas even though I'm running Azure Kubernetes Service? https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default
Solution 1:[1]
Cloud managed cluster does not allow you to customize the api-server. In this case, you can use opa gatekeeper or kyverno to write rules that reject un-necessary priority class settings.
Solution 2:[2]
Azure Kubernetes Service has a addon called azure-policy. When you enable this...you will get Gatekeper installed on your cluster. With this you can leverage admission control and validate or mutate requests to the API-server. The great benefit here is that you also have visual reporting of your compliance though Azure Policy in the portal.
# Existing Cluster
az aks enable-addons \
--addons azure-policy \
--name MyAKSCluster \
--resource-group MyResourceGroup
# New Cluster
az aks create \
--name MyAKSCluster \
--resource-group MyResourceGroup \
--enable-addons azure-policy
For your purpose you could now create an Azure Custom Policiy. There are also existing Policy Definitions or Initiative from Azure which you can leverage.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | gohm'c |
| Solution 2 | Philip Welz |