To better control the number of resources that can be created in a given Namespace and provide default resource consumption limits for Pods, ResourceQuota and LimitRange resources are recommended. This policy will generate ResourceQuota and LimitRange resources when a new Namespace is created.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: add-ns-quotaannotations:policies.kyverno.io/title: Add Quotapolicies.kyverno.io/category: Multi-Tenancy, EKS Best Practicespolicies.kyverno.io/subject: ResourceQuota, LimitRangepolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: To better control the number of resources that can be created in a given Namespace and provide default resource consumption limits for Pods, ResourceQuota and LimitRange resources are recommended. This policy will generate ResourceQuota and LimitRange resources when a new Namespace is created.spec:rules:- name: generate-resourcequotamatch:any:- resources:kinds:- Namespacegenerate:apiVersion: v1kind: ResourceQuotaname: default-resourcequotasynchronize: truenamespace: "{{request.object.metadata.name}}"data:spec:hard:requests.cpu: "4"requests.memory: 16Gilimits.cpu: "4"limits.memory: 16Gi- name: generate-limitrangematch:any:- resources:kinds:- Namespacegenerate:apiVersion: v1kind: LimitRangename: default-limitrangesynchronize: truenamespace: "{{request.object.metadata.name}}"data:spec:limits:- default:cpu: 500mmemory: 1GidefaultRequest:cpu: 200mmemory: 256Mitype: Container
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
According to EKS best practices, the `aws-node` DaemonSet is configured to use a role assigned to the EC2 instances to assign IPs to Pods. This role includes several AWS managed policies that effectively allow all Pods running on a Node to attach/detach ENIs, assign/unassign IP addresses, or pull images from ECR. Since this presents a risk to your cluster, it is recommended that you update the `aws-node` DaemonSet to use IRSA. This policy ensures that the `aws-node` DaemonSet running in the `kube-system` Namespace is not still using the `aws-node` ServiceAccount.
This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".