diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml new file mode 100644 index 000000000..b4edddc1d --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/chainsaw-step-01-assert-1.yaml @@ -0,0 +1,6 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-limits +status: + ready: true diff --git a/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml b/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml new file mode 100644 index 000000000..6c3d855b7 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/chainsaw-test.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: require-cpu-limits +spec: + steps: + - name: step-01 + try: + - apply: + file: ../require-cpu-limits.yaml + - patch: + resource: + apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: require-cpu-limits + spec: + validationFailureAction: Enforce + - assert: + file: chainsaw-step-01-assert-1.yaml + - name: step-02 + try: + - apply: + file: pod-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: pod-bad.yaml + - apply: + file: podcontroller-good.yaml + - apply: + expect: + - check: + ($error != null): true + file: podcontroller-bad.yaml diff --git a/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml new file mode 100644 index 000000000..9a135528d --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/pod-bad.yaml @@ -0,0 +1,67 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35 diff --git a/other/require-cpu-limits/.chainsaw-test/pod-good.yaml b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml new file mode 100644 index 000000000..cadee0f49 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/pod-good.yaml @@ -0,0 +1,97 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml new file mode 100644 index 000000000..ac56be204 --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-bad.yaml @@ -0,0 +1,158 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35 + - name: container02 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + containers: + - name: container01 + image: busybox:1.35 +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35 + - name: initcontainer02 + image: busybox:1.35 + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35 +--- diff --git a/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml new file mode 100644 index 000000000..330e0e9cb --- /dev/null +++ b/other/require-cpu-limits/.chainsaw-test/podcontroller-good.yaml @@ -0,0 +1,271 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: initcontainer02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + containers: + - name: container01 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" + - name: container02 + image: busybox:1.35@sha256:5b6e7aeda43f426b6423f60da863e2e6015c9983c957cf1b068120aea609261d + resources: + limits: + cpu: "50m" diff --git a/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml b/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml new file mode 100644 index 000000000..8dc751676 --- /dev/null +++ b/other/require-cpu-limits/.kyverno-test/kyverno-test.yaml @@ -0,0 +1,73 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-cpu-limits +policies: +- ../require-cpu-limits.yaml +resources: +- resource.yaml +results: +- kind: CronJob + policy: require-cpu-limits + resources: + - badcronjob01 + - badcronjob02 + - badcronjob03 + - badcronjob04 + - badcronjob05 + - badcronjob06 + result: fail + rule: check-cpu-limits +- kind: Deployment + policy: require-cpu-limits + resources: + - baddeployment01 + - baddeployment02 + - baddeployment03 + - baddeployment04 + - baddeployment05 + - baddeployment06 + result: fail + rule: check-cpu-limits +- kind: Pod + policy: require-cpu-limits + resources: + - badpod01 + - badpod02 + - badpod03 + - badpod04 + - badpod05 + - badpod06 + - badpod07 + result: fail + rule: check-cpu-limits +- kind: CronJob + policy: require-cpu-limits + resources: + - goodcronjob01 + - goodcronjob02 + - goodcronjob03 + - goodcronjob04 + - goodcronjob05 + result: pass + rule: check-cpu-limits +- kind: Deployment + policy: require-cpu-limits + resources: + - gooddeployment01 + - gooddeployment02 + - gooddeployment03 + - gooddeployment04 + - gooddeployment05 + result: pass + rule: check-cpu-limits +- kind: Pod + policy: require-cpu-limits + resources: + - goodpod01 + - goodpod02 + - goodpod03 + - goodpod04 + - goodpod05 + result: pass + rule: check-cpu-limits diff --git a/other/require-cpu-limits/.kyverno-test/resource.yaml b/other/require-cpu-limits/.kyverno-test/resource.yaml new file mode 100644 index 000000000..441cd0c9d --- /dev/null +++ b/other/require-cpu-limits/.kyverno-test/resource.yaml @@ -0,0 +1,684 @@ +###### Pods - Bad +apiVersion: v1 +kind: Pod +metadata: + name: badpod01 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod02 +spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod03 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod04 +spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod06 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: v1 +kind: Pod +metadata: + name: badpod07 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename +--- +###### Pods - Good +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod01 +spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod02 +spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod03 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod04 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: v1 +kind: Pod +metadata: + name: goodpod05 +spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + +###### Deployments - Bad +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baddeployment06 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +###### Deployments - Good +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment01 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment02 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment03 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment04 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gooddeployment05 +spec: + replicas: 1 + selector: + matchLabels: + app: app + template: + metadata: + labels: + app: app + spec: + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + +###### CronJobs - Bad +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename + - name: container02 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: badcronjob06 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename + - name: initcontainer02 + image: dummyimagename + containers: + - name: container01 + image: dummyimagename +###### CronJobs - Good +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob01 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob02 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob03 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob04 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: goodcronjob05 +spec: + schedule: "*/1 * * * *" + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + initContainers: + - name: initcontainer01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: initcontainer02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + containers: + - name: container01 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" + - name: container02 + image: dummyimagename@sha256:af21f7f62c57958b7e5f31c334e37fd5e4c4710aeb1e83b7b235a8d9a7d097b7 + resources: + limits: + cpu: "500m" diff --git a/other/require-cpu-limits/artifacthub-pkg.yml b/other/require-cpu-limits/artifacthub-pkg.yml new file mode 100644 index 000000000..125a5efc9 --- /dev/null +++ b/other/require-cpu-limits/artifacthub-pkg.yml @@ -0,0 +1,22 @@ +name: require-cpu-limits +version: 1.0.0 +displayName: Require CPU Limits +createdAt: "2024-05-19T20:30:06.000Z" +description: >- + Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/require-cpu-limits/require-cpu-limits.yaml + ``` +keywords: +- kyverno +- Other +readme: | + Setting CPU limits on pods ensures fair distribution of resources, preventing any single pod from monopolizing CPU and impacting the performance of other pods. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. + + Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ +annotations: + kyverno/category: "Other" + kyverno/kubernetesVersion: "1.26" + kyverno/subject: "Pod" +digest: 1d9998010342080ae64f309befdf52065de557cdcc10ddf68d8476b5af93d505 diff --git a/other/require-cpu-limits/require-cpu-limits.yaml b/other/require-cpu-limits/require-cpu-limits.yaml new file mode 100644 index 000000000..7e7ec5a20 --- /dev/null +++ b/other/require-cpu-limits/require-cpu-limits.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-cpu-limits + annotations: + policies.kyverno.io/title: Require CPU Limits + policies.kyverno.io/category: Other + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: Pod + kyverno.io/kubernetes-version: "1.26" + policies.kyverno.io/description: >- + Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container. +spec: + validationFailureAction: Audit + background: true + rules: + - name: check-cpu-limits + match: + any: + - resources: + kinds: + - Pod + validate: + message: "CPU limits are required for all containers." + pattern: + spec: + containers: + - (name): "*" + resources: + limits: + cpu: "?*" + =(ephemeralContainers): + - =(name): "*" + resources: + limits: + cpu: "?*" + =(initContainers): + - =(name): "*" + resources: + limits: + cpu: "?*"