From ea25ed846067aeeb4c610e117d694352a5464178 Mon Sep 17 00:00:00 2001 From: Shuting Zhao Date: Wed, 9 Oct 2019 17:37:31 -0700 Subject: [PATCH] add check-pod-request-limit.yaml --- pkg/testrunner/testrunner_test.go | 4 ++++ .../require_pod_requests_limits.yaml | 24 +++++++++++++++++++ .../manifest/require_pod_requests_limits.yaml | 15 ++++++++++++ ..._validate_require_pod_requests_limits.yaml | 18 ++++++++++++++ 4 files changed, 61 insertions(+) create mode 100644 samples/best_practices/require_pod_requests_limits.yaml create mode 100644 test/manifest/require_pod_requests_limits.yaml create mode 100644 test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml diff --git a/pkg/testrunner/testrunner_test.go b/pkg/testrunner/testrunner_test.go index 07e4944e80..3a213b9fc3 100644 --- a/pkg/testrunner/testrunner_test.go +++ b/pkg/testrunner/testrunner_test.go @@ -139,3 +139,7 @@ func Test_validate_volume_whitelist(t *testing.T) { func Test_validate_whitelist_image_registries(t *testing.T) { testScenario(t, "test/scenarios/test/scenario_validate_whitelist_image_registries.yaml") } + +func Test_require_pod_requests_limits(t *testing.T) { + testScenario(t, "test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml") +} diff --git a/samples/best_practices/require_pod_requests_limits.yaml b/samples/best_practices/require_pod_requests_limits.yaml new file mode 100644 index 0000000000..7f472d5ed1 --- /dev/null +++ b/samples/best_practices/require_pod_requests_limits.yaml @@ -0,0 +1,24 @@ +apiVersion: kyverno.io/v1alpha1 +kind: Policy +metadata: + name: check-resource +spec: + validationFailureAction: "audit" + rules: + - name: check-resource-request-limit + match: + resources: + kinds: + - Pod + validate: + message: "CPU and memory resource requests and limits are required" + pattern: + spec: + containers: + - resources: + requests: + memory: "?*" + cpu: "?*" + limits: + memory: "?*" + cpu: "?*" \ No newline at end of file diff --git a/test/manifest/require_pod_requests_limits.yaml b/test/manifest/require_pod_requests_limits.yaml new file mode 100644 index 0000000000..78fc52f700 --- /dev/null +++ b/test/manifest/require_pod_requests_limits.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: myapp-pod + labels: + app: myapp +spec: + containers: + - name: nginx + image: nginx + resources: + requests: + memory: "256Mi" + limits: + memory: "256Mi" \ No newline at end of file diff --git a/test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml b/test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml new file mode 100644 index 0000000000..5eec300609 --- /dev/null +++ b/test/scenarios/test/scenario_validate_require_pod_requests_limits.yaml @@ -0,0 +1,18 @@ +# file path relative to project root +input: + policy: samples/best_practices/require_pod_requests_limits.yaml + resource: test/manifest/require_pod_requests_limits.yaml +expected: + validation: + policyresponse: + policy: check-resource + resource: + kind: Pod + apiVersion: v1 + namespace: '' + name: myapp-pod + rules: + - name: check-resource-request-limit + type: Validation + message: Validation rule 'check-resource-request-limit' failed at '/spec/containers/0/resources/limits/cpu/' for resource Pod//myapp-pod. CPU and memory resource requests and limits are required + success: false