42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
{{- if .Values.resourceLimits.enabled }}
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: require-resource-limits
|
|
annotations:
|
|
policies.kyverno.io/title: "Обязательные resource limits"
|
|
policies.kyverno.io/category: Resources
|
|
policies.kyverno.io/severity: high
|
|
policies.kyverno.io/version: {{ .Chart.Version }}
|
|
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }}
|
|
spec:
|
|
validationFailureAction: {{ .Values.resourceLimits.failureAction | default .Values.global.failureAction }}
|
|
background: true
|
|
rules:
|
|
- name: check-container-limits
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
{{- range .Values.global.excludedNamespaces }}
|
|
- {{ . }}
|
|
{{- end }}
|
|
validate:
|
|
message: >-
|
|
Контейнер '{{ "{{" }} element.name {{ "}}" }}' не имеет resource limits.
|
|
Добавьте resources.limits.memory и resources.limits.cpu.
|
|
foreach:
|
|
- list: >-
|
|
request.object.spec.containers[] |
|
|
merge(request.object.spec.initContainers[] || `[]`, @) |
|
|
merge(request.object.spec.ephemeralContainers[] || `[]`, @)
|
|
pattern:
|
|
resources:
|
|
limits:
|
|
memory: "?*"
|
|
cpu: "?*"
|
|
{{- end }}
|