require default namespace resource quota

examples/best_practices/README.md

@@ -17,7 +17,7 @@
 | Require a namespace (disallow default)         | [policy_validate_default_namespace.yaml](policy_validate_default_namespace.yaml)                                                                     |     best_practices            |
 | Prevent mounting of default service account    | [policy_validate_disallow_default_serviceaccount.yaml](policy_validate_disallow_default_serviceaccount.yaml)                                                                      |
 | Require a default network policy               | [policy_validate_default_network_policy.yaml](policy_validate_default_network_policy.yaml)                                                                      |   best_practices            |
-| Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |
+| Require namespace quotas and limit ranges      | [policy_validate_namespace_quota.yaml](policy_validate_namespace_quota.yaml)                                                                      |     best_practices            |
 | Allow an FSGroup that owns the pod's volumes      | [policy_validate_fsgroup.yaml](policy_validate_fsgroup.yaml)                                                                      |
 | Require SELinux level of the container      | [policy_validate_selinux_context.yaml](policy_validate_selinux_context.yaml)                                                                      |
 | Allow default Proc Mount type      | [policy_validate_default_proc_mount.yaml](policy_validate_default_proc_mount.yaml)                                                                      |

pkg/testrunner/testrunner_test.go

@@ -100,8 +100,8 @@ func Test_validate_not_readonly_rootfilesystem(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_require_readonly_rootfilesystem.yaml")
 }
 
-func Test_validate_namespace_quota(t *testing.T) {
-	testScenario(t, "test/scenarios/test/scenario_validate_namespace_quota.yaml")
+func Test_validate_require_namespace_quota(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_require_namespace_quota.yaml")
 }
 
 func Test_validate_disallow_node_port(t *testing.T) {

samples/best_practices/require_namespace_quota.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1alpha1
+kind: ClusterPolicy
+metadata:
+  name: validate-namespace-quota
+spec:
+  rules:
+  - name: validate-namespace-quota
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      kind: ResourceQuota
+      name: "defaultresourcequota"
+      spec:
+        hard:
+          requests.cpu: "*"
+          requests.memory: "*"
+          limits.cpu: "*"
+          limits.memory: "*"

test/manifest/require_namespace_quota.yaml

@@ -0,0 +1,4 @@
+kind: Namespace
+apiVersion: v1
+metadata: 
+    name: "test-namespace-quota"

test/scenarios/test/scenario_validate_require_namespace_quota.yaml

@@ -1,7 +1,7 @@
 # file path relative to project root
 input:
-  policy: examples/best_practices/policy_validate_namespace_quota.yaml
-  resource: examples/best_practices/resources/resource_validate_namespace_quota.yaml
+  policy: samples/best_practices/require_namespace_quota.yaml
+  resource: test/manifest/require_namespace_quota.yaml
 expected:
   generation:
     generatedResources: