Require QoS Guaranteed

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-qos-guaranteed
 5  annotations:
 6    policies.kyverno.io/title: Require QoS Guaranteed
 7    policies.kyverno.io/category: Other, Multi-Tenancy
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Pod
10    policies.kyverno.io/description: >-
11      Pod Quality of Service (QoS) is a mechanism to ensure Pods receive certain
12      priority guarantees based upon the resources they define. When Pods define both
13      requests and limits for both memory and CPU, and the requests and limits are equal
14      to each other, Kubernetes grants the QoS class as guaranteed which allows them to run
15      at a higher priority than others. This policy requires that all containers within a Pod
16      run with this definition resulting in a guaranteed QoS. This policy is provided with the
17      intention that users will need to control its scope by using
18      exclusions, preconditions, and other policy language mechanisms.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23  - name: guaranteed
24    match:
25      any:
26      - resources:
27          kinds:
28          - Pod
29    validate:
30      message: "All containers must define memory and CPU requests and limits where they are equal."
31      foreach:
32      - list: "request.object.spec.containers"
33        pattern:
34          resources:
35            requests:
36              cpu: "?*"
37              memory: "?*"
38            limits:
39              cpu: "{{element.resources.requests.cpu}}"
40              memory: "{{element.resources.requests.memory}}"