apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: set-dynamic-resource-limits
  annotations:
    policies.kyverno.io/title: "Динамические resource limits из ConfigMap"
    policies.kyverno.io/category: Resources
    policies.kyverno.io/severity: low
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Устанавливает resource limits на основе лейбла service-type пода.
      Значения берутся из ConfigMap kyverno-global-config в namespace kyverno.
      Изменение лимитов — это kubectl edit configmap, не изменение политики.
      Лейблы: service-type: api | worker | (default)
spec:
  rules:
  - name: set-limits-from-config
    match:
      resources:
        kinds:
        - Pod
    exclude:
      resources:
        namespaces:
        - kube-system
        - kyverno
    context:
    - name: globalConfig
      configMap:
        name: kyverno-global-config
        namespace: kyverno
    mutate:
      foreach:
      - list: "request.object.spec.containers"
        patchStrategicMerge:
          spec:
            containers:
            - name: "{{ element.name }}"
              resources:
                limits:
                  +(memory): >-
                    {{ globalConfig.data.\"{{ request.object.metadata.labels.\"service-type\" || 'default' }}_memory\" || '256Mi' }}
                  +(cpu): >-
                    {{ globalConfig.data.\"{{ request.object.metadata.labels.\"service-type\" || 'default' }}_cpu\" || '250m' }}