---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/category: Workload Isolation
    policies.kyverno.io/description: To limit the number of objects, as well as the
      total amount of compute that may be consumed by a single namespace, create a
      default resource quota for each namespace.
  name: add-ns-quota
spec:
  admission: true
  background: true
  rules:
  - exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - default
          - kube-public
          - kyverno
    generate:
      apiVersion: v1
      data:
        spec:
          hard:
            limits.cpu: "4"
            limits.memory: 16Gi
            requests.cpu: "4"
            requests.memory: 16Gi
      kind: ResourceQuota
      name: default-resourcequota
      namespace: '{{request.object.metadata.name}}'
      synchronize: true
    match:
      any:
      - resources:
          kinds:
          - Namespace
    name: generate-resourcequota
  - generate:
      apiVersion: v1
      data:
        spec:
          limits:
          - default:
              cpu: 500m
              memory: 1Gi
            defaultRequest:
              cpu: 200m
              memory: 256Mi
            type: Container
      kind: LimitRange
      name: default-limitrange
      namespace: '{{request.object.metadata.name}}'
      synchronize: true
    match:
      any:
      - resources:
          kinds:
          - Namespace
    name: generate-limitrange
  validationFailureAction: Audit