--- apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: annotations: policies.kyverno.io/category: Workload Isolation policies.kyverno.io/description: To limit the number of objects, as well as the total amount of compute that may be consumed by a single namespace, create a default resource quota for each namespace. name: add-ns-quota spec: admission: true background: true rules: - exclude: any: - resources: namespaces: - kube-system - default - kube-public - kyverno generate: apiVersion: v1 data: spec: hard: limits.cpu: "4" limits.memory: 16Gi requests.cpu: "4" requests.memory: 16Gi kind: ResourceQuota name: default-resourcequota namespace: '{{request.object.metadata.name}}' synchronize: true match: any: - resources: kinds: - Namespace name: generate-resourcequota - generate: apiVersion: v1 data: spec: limits: - default: cpu: 500m memory: 1Gi defaultRequest: cpu: 200m memory: 256Mi type: Container kind: LimitRange name: default-limitrange namespace: '{{request.object.metadata.name}}' synchronize: true match: any: - resources: kinds: - Namespace name: generate-limitrange validationFailureAction: Audit