Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container.
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: require-cpu-limitsannotations:policies.kyverno.io/title: Require CPU Limitspolicies.kyverno.io/category: Otherpolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Podkyverno.io/kubernetes-version: "1.26"policies.kyverno.io/description: Setting CPU limits on containers ensures fair distribution of resources, preventing any single container from monopolizing CPU and impacting the performance of other containers. This practice enhances stability, predictability, and cost control, while also mitigating the noisy neighbor problem and facilitating efficient scaling in Kubernetes clusters. This policy ensures that cpu limits are set on every container.spec:validationFailureAction: Auditbackground: truerules:- name: check-cpu-limitsmatch:any:- resources:kinds:- Podvalidate:message: CPU limits are required for all containers.pattern:spec:containers:- (name): "*"resources:limits:cpu: "?*""=(ephemeralContainers)":- "=(name)": "*"resources:limits:cpu: "?*""=(initContainers)":- "=(name)": "*"resources:limits:cpu: "?*"
This policy prevents the use of the default project in an Application.
Services of type LoadBalancer when deployed inside AWS have support for transport encryption if it is enabled via an annotation. This policy requires that Services of type LoadBalancer contain the annotation service.beta.kubernetes.io/aws-load-balancer-ssl-cert with some value.
This policy prevents updates to the project field after an Application is created.