Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: forbid-cpu-limitsannotations:policies.kyverno.io/title: Forbid CPU Limitspolicies.kyverno.io/category: Otherpolicies.kyverno.io/subject: Podkyverno.io/kyverno-version: 1.10.0kyverno.io/kubernetes-version: "1.26"policies.kyverno.io/description: Setting of CPU limits is a debatable poor practice as it can result, when defined, in potentially starving applications of much-needed CPU cycles even when they are available. Ensuring that CPU limits are not set may ensure apps run more effectively. This policy forbids any container in a Pod from defining CPU limits.spec:background: truevalidationFailureAction: Enforcerules:- name: check-cpu-limitsmatch:any:- resources:kinds:- Podvalidate:message: Containers may not define CPU limits.pattern:spec:containers:- (name): "*""=(resources)":"=(limits)":X(cpu): null
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.