2019-06-22 16:05:06 -07:00
|
|
|
apiVersion : kyverno.io/v1alpha1
|
|
|
|
|
kind: Policy
|
|
|
|
|
metadata:
|
|
|
|
|
name: policy-qos
|
|
|
|
|
spec:
|
2019-07-25 14:57:44 -04:00
|
|
|
# validationFailureAction: "audit"
|
2019-06-22 16:05:06 -07:00
|
|
|
rules:
|
2019-07-19 20:30:55 -07:00
|
|
|
- name: add-memory-limit
|
2019-07-25 14:57:44 -04:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Deployment
|
2019-07-29 19:01:17 -07:00
|
|
|
selector :
|
|
|
|
|
matchLabels:
|
|
|
|
|
test: qos
|
2019-07-19 20:30:55 -07:00
|
|
|
mutate:
|
|
|
|
|
overlay:
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
# the wildcard * will match all containers in the list
|
|
|
|
|
- (name): "*"
|
|
|
|
|
resources:
|
|
|
|
|
limits:
|
|
|
|
|
# add memory limit if it is not exist
|
|
|
|
|
"+(memory)": "300Mi"
|
2019-07-25 14:57:44 -04:00
|
|
|
"+(cpu)": "100"
|
2019-07-19 20:30:55 -07:00
|
|
|
- name: check-cpu-memory-limits
|
2019-07-25 14:57:44 -04:00
|
|
|
match:
|
|
|
|
|
resources:
|
|
|
|
|
kinds:
|
|
|
|
|
- Deployment
|
2019-07-29 19:01:17 -07:00
|
|
|
selector :
|
|
|
|
|
matchLabels:
|
|
|
|
|
test: qos
|
2019-07-19 20:30:55 -07:00
|
|
|
validate:
|
|
|
|
|
message: "Resource limits are required for CPU and memory"
|
|
|
|
|
pattern:
|
|
|
|
|
spec:
|
|
|
|
|
template:
|
|
|
|
|
spec:
|
|
|
|
|
containers:
|
|
|
|
|
# match all contianers
|
2019-06-22 16:05:06 -07:00
|
|
|
- (name): "*"
|
|
|
|
|
resources:
|
|
|
|
|
limits:
|
2019-07-19 20:30:55 -07:00
|
|
|
# cpu and memory are required
|
|
|
|
|
memory: "?*"
|
2019-07-23 18:13:05 -07:00
|
|
|
cpu: "?*"
|
