apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-resource-quota
  annotations:
    policies.kyverno.io/title: "Генерация ResourceQuota для Namespace"
    policies.kyverno.io/category: Resources
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Namespace
    policies.kyverno.io/description: >-
      При создании Namespace генерирует ResourceQuota.
      Квота зависит от лейбла tier: standard | premium.
      Значения квот берутся из ConfigMap quota-defaults.
spec:
  rules:
  - name: generate-quota
    match:
      resources:
        kinds:
        - Namespace
    exclude:
      resources:
        names:
        - kube-system
        - kube-public
        - kube-node-lease
        - kyverno
    context:
    - name: quotaConfig
      configMap:
        name: quota-defaults
        namespace: kyverno
    generate:
      apiVersion: v1
      kind: ResourceQuota
      name: default-quota
      namespace: "{{ request.object.metadata.name }}"
      synchronize: true
      data:
        kind: ResourceQuota
        apiVersion: v1
        metadata:
          name: default-quota
          labels:
            generated-by: kyverno
        spec:
          hard:
            # Квота CPU зависит от tier namespace
            requests.cpu: >-
              {{ quotaConfig.data.\"{{ request.object.metadata.labels.tier || 'standard' }}_cpu_request\" || '4' }}
            requests.memory: >-
              {{ quotaConfig.data.\"{{ request.object.metadata.labels.tier || 'standard' }}_memory_request\" || '8Gi' }}
            limits.cpu: >-
              {{ quotaConfig.data.\"{{ request.object.metadata.labels.tier || 'standard' }}_cpu_limit\" || '8' }}
            limits.memory: >-
              {{ quotaConfig.data.\"{{ request.object.metadata.labels.tier || 'standard' }}_memory_limit\" || '16Gi' }}
            pods: "50"
            services: "20"
            persistentvolumeclaims: "10"