apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: set-resource-limits-from-config
  annotations:
    policies.kyverno.io/title: "Resource limits из централизованного ConfigMap"
    policies.kyverno.io/category: Resources
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Устанавливает дефолтные resource limits из ConfigMap kyverno-global-config.
      Изменение лимитов для всего кластера — это kubectl edit configmap,
      а не изменение и деплой политики.
spec:
  rules:
  - name: set-limits-from-configmap
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
        - kyverno
    context:
    - name: globalConfig
      configMap:
        name: kyverno-global-config
        namespace: kyverno
    mutate:
      foreach:
      - list: "request.object.spec.containers"
        patchStrategicMerge:
          spec:
            containers:
            - name: "{{ element.name }}"
              resources:
                requests:
                  +(memory): "{{ globalConfig.data.\"default.memory.request\" }}"
                  +(cpu): "{{ globalConfig.data.\"default.cpu.request\" }}"
                limits:
                  +(memory): "{{ globalConfig.data.\"default.memory.limit\" }}"
                  +(cpu): "{{ globalConfig.data.\"default.cpu.limit\" }}"