As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-requests-limitsannotations:policies.kyverno.io/title: Require Limits and Requestspolicies.kyverno.io/category: Best Practices, EKS Best Practicespolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podpolicies.kyverno.io/minversion: 1.6.0policies.kyverno.io/description: As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits.spec:validationFailureAction: Auditbackground: truerules:- name: validate-resourcesmatch:any:- resources:kinds:- Podvalidate:message: CPU and memory resource requests and memory limits are required for containers.pattern:spec:containers:- resources:requests:memory: "?*"cpu: "?*"limits:memory: "?*""=(initContainers)":- resources:requests:memory: "?*"cpu: "?*"limits:memory: "?*""=(ephemeralContainers)":- resources:requests:memory: "?*"cpu: "?*"limits:memory: "?*"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.