Kubecost Enterprise allows users to define budgets for Namespaces and clusters as well as predict the cost of new Deployments based on historical cost data. By combining these abilities, users can achieve proactive cost controls for clusters with Kubecost installed by denying Deployments which would exceed the remaining configured monthly budget, if applicable. This policy checks for the creation of Deployments and compares the predicted cost of the Deployment to the remaining amount in the monthly budget, if one is found. If the predicted cost is greater than the remaining budget, the Deployment is denied. This policy requires Kubecost Enterprise at a version of 1.108 or greater.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: kubecost-proactive-cost-controlannotations:policies.kyverno.io/title: Kubecost Proactive Cost Controlpolicies.kyverno.io/category: Kubecostpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Deploymentpolicies.kyverno.io/minversion: 1.11.0kyverno.io/kyverno-version: 1.11.4kyverno.io/kubernetes-version: "1.26"policies.kyverno.io/description: Kubecost Enterprise allows users to define budgets for Namespaces and clusters as well as predict the cost of new Deployments based on historical cost data. By combining these abilities, users can achieve proactive cost controls for clusters with Kubecost installed by denying Deployments which would exceed the remaining configured monthly budget, if applicable. This policy checks for the creation of Deployments and compares the predicted cost of the Deployment to the remaining amount in the monthly budget, if one is found. If the predicted cost is greater than the remaining budget, the Deployment is denied. This policy requires Kubecost Enterprise at a version of 1.108 or greater.spec:validationFailureAction: Auditrules:- name: enforce-monthly-namespace-budgetmatch:any:- resources:kinds:- Deploymentoperations:- CREATEpreconditions:all:- key: "{{ budget }}"operator: NotEqualsvalue: nobudgetcontext:- name: budgetapiCall:method: GETservice:url: http://kubecost-cost-analyzer.kubecost:9090/model/budgetsjmesPath: data[?values.namespace[?contains(@,'{{ request.namespace }}')]] | [0] || 'nobudget'- name: predictedMonthlyCostapiCall:method: POSTdata:- key: apiVersionvalue: "{{ request.object.apiVersion }}"- key: kindvalue: "{{ request.object.kind }}"- key: specvalue: "{{ request.object.spec }}"service:url: http://kubecost-cost-analyzer.kubecost:9090/model/prediction/speccost?clusterID=cluster-one&defaultNamespace=defaultjmesPath: "[0].costChange.totalMonthlyRate"- name: remainingBudgetvariable:jmesPath: subtract(budget.spendLimit,budget.currentSpend)validate:message: This Deployment, which costs ${{ round(predictedMonthlyCost, `2`) }} to run for a month, will overrun the remaining budget of ${{ round(remainingBudget,`2`) }}. Please seek approval or request a Policy Exception.deny:conditions:all:- key: "{{ predictedMonthlyCost }}"operator: GreaterThanvalue: "{{ remainingBudget }}"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.