Add resource limit restriction policy

Author: DTLP

kyverno/policies/pods/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
   - privileged.yaml
   - privilege-escalation.yaml
   - procMount.yaml
+  - resources.yaml
   - Seccomp.yaml
   - SELinux.yaml
   - sysctls.yaml

kyverno/policies/pods/resources-cpu-limits.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-cpu-limit
+  annotations:
+    policies.kyverno.io/title: Restrict CPU Limit
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This policy restricts containers from setting the CPU limit above 6 cores.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: default
+      match:
+        resources:
+          kinds:
+            - Pod
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.containers[].resources.limits.cpu || '' }}"
+            operator: NotEquals
+            value: ""
+      validate:
+        message: "Containers must not set CPU limits over 6 cores."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    cpu: "<=6"

kyverno/policies/pods/resources-memory-limits.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-memory-limit
+  annotations:
+    policies.kyverno.io/title: Restrict Memory Limit
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This policy restricts containers from setting the memory limit above 24Gi.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: default
+      match:
+        resources:
+          kinds:
+            - Pod
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.containers[].resources.limits.memory || '' }}"
+            operator: NotEquals
+            value: ""
+      validate:
+        message: "Containers must not set memory limits over 24Gi."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "<=24Gi"

kyverno/policies/pods/test/kyverno-test.yaml

@@ -3,12 +3,15 @@ policies:
   - ../hostIPC.yaml
   - ../hostNetwork.yaml
   - ../privilege-escalation.yaml
+  - ../resources-cpu-limits.yaml
+  - ../resources-memory-limits.yaml
 resources:
   - test-hostIPC.yaml
   - test-hostNetwork.yaml
   - test-privilege-escalation.yaml
+  - test-resources-limits.yaml
 results:
-# Test hostIPC
+  # Test hostIPC
   - policy: disallow-host-ipc-pods
     rule: default
     resource: test-hostIPC-not-set
@@ -24,7 +27,7 @@ results:
     resource: test-hostIPC-set-to-true
     kind: Pod
     result: fail
-# Test hostNetwork
+  # Test hostNetwork
   - policy: disallow-host-network-pods
     rule: default
     resource: test-hostNetwork-not-set
@@ -40,7 +43,7 @@ results:
     resource: test-hostNetwork-set-to-true
     kind: Pod
     result: fail
-# Test privilege escalation
+  # Test privilege escalation
   - policy: disallow-privilege-escalation
     rule: default
     resource: test-privilege-escalation-not-set
@@ -56,3 +59,105 @@ results:
     resource: test-privilege-escalation-set-to-true
     kind: Pod
     result: fail
+  # Test Restict CPU Limits
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-resource-limits-not-set
+    kind: Pod
+    result: skip
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-resource-limits-both-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-resource-limits-cpu-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-resource-limits-memory-too-high
+    kind: Pod
+    result: pass
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-resource-limits-both-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-decimal-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-millicores-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-decimal-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-cpu-limit
+    rule: default
+    resource: test-cpu-limit-millicores-too-high
+    kind: Pod
+    result: fail
+  # Test Restict Memory Limits
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-resource-limits-not-set
+    kind: Pod
+    result: skip
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-resource-limits-both-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-resource-limits-cpu-too-high
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-resource-limits-memory-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-resource-limits-both-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-limit-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-limit-mi-ok
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-limit-too-high
+    kind: Pod
+    result: fail
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-limit-mi-too-high
+    kind: Pod
+    result: fail

kyverno/policies/pods/test/test-resources-limits.yaml

@@ -0,0 +1,180 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-not-set
+spec:
+  containers:
+    - name: test
+      image: test
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-both-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-cpu-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7"
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-memory-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "25Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-both-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7"
+          memory: "25Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-decimal-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6.0"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-millicores-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6000m"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-decimal-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7.0"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-cpu-limit-millicores-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7000m"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-limit-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-limit-mi-ok
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "24000Mi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-limit-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "25Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-limit-mi-too-high
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "25000Mi"