Require QoS Burstable

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-qos-burstable
 5  annotations:
 6    policies.kyverno.io/title: Require QoS Burstable
 7    policies.kyverno.io/category: Other, Multi-Tenancy
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain
12      priority guarantees based upon the resources they define. When a Pod has at least
13      one container which defines either requests or limits for either memory or CPU,
14      Kubernetes grants the QoS class as burstable if it does not otherwise qualify for a QoS class of guaranteed.
15      This policy requires that a Pod meet the criteria qualify for a QoS of burstable.
16      This policy is provided with the intention that users will need to control its scope by using
17      exclusions, preconditions, and other policy language mechanisms.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: burstable
23    match:
24      any:
25      - resources:
26          kinds:
27          - Pod
28    validate:
29      message: "At least one container in the Pod must define either requests or limits for either CPU or memory."
30      deny:
31        conditions:
32          all:
33          - key: requests
34            operator: AnyNotIn
35            value: "{{ request.object.spec.containers[].resources.keys(@)[] }}"
36          - key: limits
37            operator: AnyNotIn
38            value: "{{ request.object.spec.containers[].resources.keys(@)[] }}"