add check-pod-request-limit.yaml

pkg/testrunner/testrunner_test.go

@@ -139,3 +139,7 @@ func Test_validate_volume_whitelist(t *testing.T) {
 func Test_validate_whitelist_image_registries(t *testing.T) {
 	testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml")
 }
+
+func Test_require_pod_requests_limits(t *testing.T) {
+	testScenario(t, "test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml")
+}

samples/best_practices/require_pod_requests_limits.yaml

@@ -0,0 +1,24 @@
+apiVersion: kyverno.io/v1alpha1
+kind: Policy
+metadata:
+  name: check-resource
+spec:
+  validationFailureAction: "audit"
+  rules:
+  - name: check-resource-request-limit
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "CPU and memory resource requests and limits are required"
+      pattern:
+        spec:
+          containers:
+          - resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"
+                cpu: "?*"

test/manifest/require_pod_requests_limits.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+spec: 
+  containers:
+  - name: nginx
+    image: nginx
+    resources:
+      requests:
+        memory: "256Mi"
+      limits:
+        memory: "256Mi"

test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml

@@ -0,0 +1,18 @@
+# file path relative to project root
+input:
+  policy: samples/best_practices/require_pod_requests_limits.yaml
+  resource: test/manifest/require_pod_requests_limits.yaml
+expected:
+  validation:
+    policyresponse:
+      policy: check-resource
+      resource:
+        kind: Pod
+        apiVersion: v1
+        namespace: ''
+        name: myapp-pod
+      rules:
+        - name: check-resource-request-limit
+          type: Validation
+          message: Validation rule 'check-resource-request-limit' failed at '/spec/containers/0/resources/limits/cpu/' for resource Pod//myapp-pod. CPU and memory resource requests and limits are required
+          success: false