update add_ns_quota

2024-12-14 11:57:48 +00:00 · 2019-11-10 20:58:57 -08:00 · 2019-11-10 20:58:57 -08:00 · f668113904
commit f668113904
parent a6d5fb6e30
5 changed files with 24 additions and 24 deletions
--- a/pkg/testrunner/testrunner_test.go
+++ b/pkg/testrunner/testrunner_test.go
@ -56,8 +56,8 @@ func Test_validate_ro_rootfs(t *testing.T) {
 	testScenario(t, "test/scenarios/samples/best_practices/require_ro_rootfs.yaml")
 }

-func Test_validate_require_namespace_quota(t *testing.T) {
-	testScenario(t, "test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml")
+func Test_add_ns_quota(t *testing.T) {
+	testScenario(t, "test/scenarios/samples/best_practices/add_ns_quota.yaml")
 }

 func Test_validate_disallow_node_port(t *testing.T) {
--- a/samples/AddNamespaceResourceQuota.md
+++ b/samples/AddNamespaceResourceQuota.md
@ -8,28 +8,28 @@ To limit the number of resources like CPU and memory, as well as objects that ma

 ## Policy YAML 

-[require_namespace_quota.yaml](best_practices/require_namespace_quota.yaml) 
+[add_ns_quota.yaml](best_practices/add_ns_quota.yaml) 

 ````yaml
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: generate-namespace-quota
+  name: add-ns-quota
 spec:
  rules:
-  - name: generate-namespace-quota
+  - name: generate-resourcequota
    match:
      resources:
        kinds:
        - Namespace
    generate:
      kind: ResourceQuota
-      name: "defaultresourcequota"
+      name: "default-resourcequota"
      data:
        spec:
          hard:
            requests.cpu: '4'
            requests.memory: '16Gi'
-            limits.cpu: '4'
-            limits.memory: '16Gi'
+            limits.cpu: $(../../requests/cpu)
+            limits.memory: $(../../requests/memory)
 ````
--- a/samples/README.md
+++ b/samples/README.md
@ -48,10 +48,10 @@ These policies are highly recommended.
 10. [Disallow latest image tag](DisallowLatestTag.md)
 11. [Disallow Helm Tiller](DisallowHelmTiller.md)
 12. [Restrict image registries](RestrictImageRegistries.md)
-13. [Require namespace limits and quotas](RequireNSLimitsQuotas.md)
-14. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
-15. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
-16. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
+13. [Require pod resource requests and limits](RequirePodRequestsLimits.md)
+14. [Require pod `livenessProbe` and `readinessProbe`](RequirePodProbes.md)
+15. [Default deny all ingress traffic](DefaultDenyAllIngress.md)
+16. [Add namespace resource quotas](AddNamespaceResourceQuota.md)
 17. [Add `safe-to-evict` for pods with `emptyDir` and `hostPath` volumes](AddSafeToEvict.md)

 ## Additional Policies
--- a/samples/best_practices/require_namespace_quota.yaml
+++ b/samples/best_practices/require_namespace_quota.yaml
@ -1,26 +1,27 @@
 apiVersion: kyverno.io/v1alpha1
 kind: ClusterPolicy
 metadata:
-  name: generate-namespace-quota
+  name: add-ns-quota
  annotations:
-    policies.kyverno.io/category: Resource Quota
+    policies.kyverno.io/category: Isolation
    policies.kyverno.io/description: To limit the number of objects, as well as the 
-      total amount of compute that may be consumed by an application, it is important 
-      to create resource limits and quotas for each namespace.
+      total amount of compute that may be consumed by a single namespace, create 
+      a default resource quota for each namespace.
 spec:
  rules:
-  - name: generate-namespace-quota
+  - name: generate-resourcequota
    match:
      resources:
        kinds:
        - Namespace
    generate:
      kind: ResourceQuota
-      name: "defaultresourcequota"
+      name: "default-resourcequota"
      data:
        spec:
          hard:
            requests.cpu: 4
            requests.memory: 16Gi
            limits.cpu: 4
-            limits.memory: 16Gi
+            limits.cpu: $(../../requests/cpu)
+            limits.memory: $(../../requests/memory)
--- a/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml
+++ b/test/scenarios/samples/best_practices/scenario_validate_require_namespace_quota.yaml
@ -1,22 +1,21 @@
 # file path relative to project root
 input:
-  policy: samples/best_practices/require_namespace_quota.yaml
+  policy: samples/best_practices/add_ns_quota.yaml
  resource: test/resources/require_namespace_quota.yaml
 expected:
  generation:
    generatedResources:
-      - name: defaultresourcequota
+      - name: default-resourcequota
        kind: ResourceQuota
        namespace: test-namespace-quota
    policyresponse:
-      policy: generate-namespace-quota
+      policy: add-ns-quota
      resource:
        kind: Namespace
        apiVersion: v1
        namespace: ''
        name: test-namespace-quota
      rules:
-        - name: generate-namespace-quota
+        - name: generate-resourcequota
          type: Generation
          success: true
-          message: created resource ResourceQuota/test-namespace-quota/defaultresourcequota