53 lines
1.8 KiB
YAML
53 lines
1.8 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: set-resource-limits-from-config
|
|
annotations:
|
|
policies.kyverno.io/title: "Resource limits из централизованного ConfigMap"
|
|
policies.kyverno.io/category: Resources
|
|
policies.kyverno.io/severity: low
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Устанавливает дефолтные resource limits из ConfigMap kyverno-global-config.
|
|
Изменение лимитов для всего кластера — это kubectl edit configmap,
|
|
а не изменение и деплой политики.
|
|
spec:
|
|
rules:
|
|
- name: set-limits-from-configmap
|
|
match:
|
|
resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
resources:
|
|
namespaces:
|
|
- kube-system
|
|
- kyverno
|
|
context:
|
|
- name: globalConfig
|
|
configMap:
|
|
name: kyverno-global-config
|
|
namespace: kyverno
|
|
# - name: globalConfig
|
|
# apiCall:
|
|
# urlPath: "/api/v1/namespaces/kyverno/configmaps/kyverno-global-config"
|
|
# jmesPath: "data"
|
|
# - name: apiCredentials
|
|
# apiCall:
|
|
# urlPath: "/api/v1/namespaces/kyverno/secrets/policy-api-credentials"
|
|
# jmesPath: "data.api-key | base64_decode(@)"
|
|
mutate:
|
|
foreach:
|
|
- list: "request.object.spec.containers"
|
|
patchStrategicMerge:
|
|
spec:
|
|
containers:
|
|
- name: "{{ element.name }}"
|
|
resources:
|
|
requests:
|
|
+(memory): "{{ globalConfig.data.\"default.memory.request\" }}"
|
|
+(cpu): "{{ globalConfig.data.\"default.cpu.request\" }}"
|
|
limits:
|
|
+(memory): "{{ globalConfig.data.\"default.memory.limit\" }}"
|
|
+(cpu): "{{ globalConfig.data.\"default.cpu.limit\" }}"
|