Resource requests often need to be tailored to the type of workload in the container/Pod. With many different types of applications in a cluster, enforcing hard limits on requests or limits may not work and a ratio may be better suited instead. This policy checks every container in a Pod and ensures that memory limits are no more than 2.5x its requests.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: enforce-resources-as-ratioannotations:policies.kyverno.io/title: Enforce Resources as Ratiopolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumkyverno.io/kyverno-version: 1.6.0policies.kyverno.io/minversion: 1.6.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/subject: Podpolicies.kyverno.io/description: Resource requests often need to be tailored to the type of workload in the container/Pod. With many different types of applications in a cluster, enforcing hard limits on requests or limits may not work and a ratio may be better suited instead. This policy checks every container in a Pod and ensures that memory limits are no more than 2.5x its requests.spec:validationFailureAction: Auditrules:- name: check-memory-requests-limitsmatch:any:- resources:kinds:- Podpreconditions:any:- key: "{{ request.operation || 'BACKGROUND' }}"operator: AnyInvalue:- CREATE- UPDATEvalidate:message: Limits may not exceed 2.5x the requests.foreach:- list: request.object.spec.containersdeny:conditions:any:- key: "{{ divide('{{ element.resources.limits.memory || '0' }}', '{{ element.resources.requests.memory || '1m' }}') }}"operator: GreaterThanvalue: 2.5
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.