Limit Priority Class consumption in Kubernetes/AKS-CodePudding

What options are available to me if I want to restrict the usage of Priorty Classes, if I'm running a managed Kubernetes service (AKS)?

The use-case here is that, I am as cluster admin want to restrict the usage of these. So that developers are not using those that are supposed to be used by critical components.

Multi-tenant cluster, semi 0-trust policy. This is something that could be "abused".

Is this something I can achieve with resource quotas even though I'm running Azure Kubernetes Service? https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default

CodePudding user response：

Cloud managed cluster does not allow you to customize the api-server. In this case, you can use opa gatekeeper or kyverno to write rules that reject un-necessary priority class settings.

CodePudding user response：

Azure Kubernetes Service has a addon called azure-policy. When you enable this...you will get Gatekeper installed on your cluster. With this you can leverage admission control and validate or mutate requests to the API-server. The great benefit here is that you also have visual reporting of your compliance though Azure Policy in the portal.

# Existing Cluster
az aks enable-addons \
  --addons azure-policy \
  --name MyAKSCluster \
  --resource-group MyResourceGroup

# New Cluster
az aks create \
  --name MyAKSCluster \
  --resource-group MyResourceGroup \
  --enable-addons azure-policy

For your purpose you could now create an Azure Custom Policiy. There are also existing Policy Definitions or Initiative from Azure which you can leverage.