Add memory limit policy

Author: DTLP

kyverno/policies/pods/kustomization.yaml

@@ -13,6 +13,7 @@ resources:
   - privileged.yaml
   - privilege-escalation.yaml
   - procMount.yaml
+  - resources.yaml
   - Seccomp.yaml
   - SELinux.yaml
   - sysctls.yaml

kyverno/policies/pods/resources.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-memory-limit
+  annotations:
+    policies.kyverno.io/title: Restrict Memory Limit
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/description: >-
+      This policy restricts containers from setting the memory limit above 24Gi.
+spec:
+  validationFailureAction: Enforce
+  background: true
+  rules:
+    - name: default
+      match:
+        resources:
+          kinds:
+            - Pod
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.containers[].resources.limits.memory || '' }}"
+            operator: NotEquals
+            value: ""
+      validate:
+        message: "Memory limit must not exceed 24Gi."
+        pattern:
+          spec:
+            containers:
+              - resources:
+                  limits:
+                    memory: "<=24Gi"

kyverno/policies/pods/test/kyverno-test.yaml

@@ -3,12 +3,14 @@ policies:
   - ../hostIPC.yaml
   - ../hostNetwork.yaml
   - ../privilege-escalation.yaml
+  - ../resources.yaml
 resources:
   - test-hostIPC.yaml
   - test-hostNetwork.yaml
+  - test-resources.yaml
   - test-privilege-escalation.yaml
 results:
-# Test hostIPC
+  # Test hostIPC
   - policy: disallow-host-ipc-pods
     rule: default
     resource: test-hostIPC-not-set
@@ -24,7 +26,7 @@ results:
     resource: test-hostIPC-set-to-true
     kind: Pod
     result: fail
-# Test hostNetwork
+  # Test hostNetwork
   - policy: disallow-host-network-pods
     rule: default
     resource: test-hostNetwork-not-set
@@ -40,7 +42,33 @@ results:
     resource: test-hostNetwork-set-to-true
     kind: Pod
     result: fail
-# Test privilege escalation
+  # Test Restict Memory Limit
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-restriction-limit-not-set
+    kind: Pod
+    result: skip
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-restriction-within-the-limit-gi
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-restriction-within-the-limit-mi
+    kind: Pod
+    result: pass
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-restriction-above-the-limit-mi
+    kind: Pod
+    result: fail
+  - policy: restrict-memory-limit
+    rule: default
+    resource: test-memory-restriction-above-the-limit-mi
+    kind: Pod
+    result: fail
+  # Test privilege escalation
   - policy: disallow-privilege-escalation
     rule: default
     resource: test-privilege-escalation-not-set

kyverno/policies/pods/test/test-resources.yaml

@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-restriction-limit-not-set
+spec:
+  containers:
+    - name: test
+      image: test
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-restriction-within-the-limit-gi
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-restriction-within-the-limit-mi
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "24000Mi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-restriction-above-the-limit-gi
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "25Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-memory-restriction-above-the-limit-mi
+spec:
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          memory: "25000Mi"