All Policies

Require Limits and Requests

As application workloads share cluster resources, it is important to limit resources requested and consumed by each Pod. It is recommended to require resource requests and limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on the LimitRange configuration. This policy validates that all containers have something specified for memory and CPU requests and memory limits.

Policy Definition

/best-practices/require-pod-requests-limits/require-pod-requests-limits.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-requests-limits
 5  annotations:
 6    policies.kyverno.io/title: Require Limits and Requests
 7    policies.kyverno.io/category: Best Practices, EKS Best Practices
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/minversion: 1.6.0
11    policies.kyverno.io/description: >-
12      As application workloads share cluster resources, it is important to limit resources
13      requested and consumed by each Pod. It is recommended to require resource requests and
14      limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
15      defaults will automatically be applied to each Pod based on the LimitRange configuration.
16      This policy validates that all containers have something specified for memory and CPU
17      requests and memory limits.      
18spec:
19  validationFailureAction: audit
20  background: true
21  rules:
22  - name: validate-resources
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29      message: "CPU and memory resource requests and limits are required."
30      pattern:
31        spec:
32          containers:
33          - resources:
34              requests:
35                memory: "?*"
36                cpu: "?*"
37              limits:
38                memory: "?*"