Fix resource limit validation (#551)

DTLP · web-flow · commit 97e22b7a294c · 2025-11-11T10:49:00.000Z
and also add validation for initContainers
diff --git a/kyverno/policies/pods/resource-limits.yaml b/kyverno/policies/pods/resource-limits.yaml
@@ -18,34 +18,42 @@ spec:
         resources:
           kinds:
             - Pod
-      preconditions:
-        all:
-          - key: "{{ request.object.spec.containers[].resources.limits.cpu || '' }}"
-            operator: NotEquals
-            value: ""
       validate:
         message: "Containers must not set CPU limits over 6 cores."
-        pattern:
-          spec:
-            containers:
-              - resources:
-                  limits:
-                    cpu: "<=6"
+        foreach:
+          - list: "request.object.spec.initContainers"
+            deny:
+              conditions:
+                any:
+                  - key: '{{ element.resources.limits.cpu || "" }}'
+                    operator: GreaterThan
+                    value: "6"
+          - list: "request.object.spec.containers"
+            deny:
+              conditions:
+                any:
+                  - key: '{{ element.resources.limits.cpu || "" }}'
+                    operator: GreaterThan
+                    value: "6"
     - name: memory
       match:
         resources:
           kinds:
             - Pod
-      preconditions:
-        all:
-          - key: "{{ request.object.spec.containers[].resources.limits.memory || '' }}"
-            operator: NotEquals
-            value: ""
       validate:
         message: "Containers must not set memory limits over 24Gi."
-        pattern:
-          spec:
-            containers:
-              - resources:
-                  limits:
-                    memory: "<=24Gi"
+        foreach:
+          - list: "request.object.spec.initContainers"
+            deny:
+              conditions:
+                any:
+                  - key: '{{ element.resources.limits.memory || "" }}'
+                    operator: GreaterThan
+                    value: "24Gi"
+          - list: "request.object.spec.containers"
+            deny:
+              conditions:
+                any:
+                  - key: '{{ element.resources.limits.memory || "" }}'
+                    operator: GreaterThan
+                    value: "24Gi"
diff --git a/kyverno/policies/pods/test/kyverno-test.yaml b/kyverno/policies/pods/test/kyverno-test.yaml
@@ -63,22 +63,27 @@ results:
     rule: cpu
     resource: test-resource-limits-not-set
     kind: Pod
-    result: skip
+    result: pass
   - policy: restrict-resource-limits
     rule: memory
     resource: test-resource-limits-not-set
     kind: Pod
-    result: skip
+    result: pass
   - policy: restrict-resource-limits
     rule: cpu
-    resource: test-resource-limits-both-ok
+    resource: test-resource-limits-ok
     kind: Pod
     result: pass
   - policy: restrict-resource-limits
     rule: memory
-    resource: test-resource-limits-both-ok
+    resource: test-resource-limits-ok
     kind: Pod
     result: pass
+  - policy: restrict-resource-limits
+    rule: cpu
+    resource: test-resource-limits-init-cpu-too-high
+    kind: Pod
+    result: fail
   - policy: restrict-resource-limits
     rule: cpu
     resource: test-resource-limits-cpu-too-high
@@ -94,6 +99,11 @@ results:
     resource: test-resource-limits-memory-too-high
     kind: Pod
     result: pass
+  - policy: restrict-resource-limits
+    rule: memory
+    resource: test-resource-limits-init-memory-too-high
+    kind: Pod
+    result: fail
   - policy: restrict-resource-limits
     rule: memory
     resource: test-resource-limits-memory-too-high
diff --git a/kyverno/policies/pods/test/test-resource-limits.yaml b/kyverno/policies/pods/test/test-resource-limits.yaml
@@ -10,8 +10,35 @@ spec:
 apiVersion: v1
 kind: Pod
 metadata:
-  name: test-resource-limits-both-ok
+  name: test-resource-limits-ok
 spec:
+  initContainers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "24Gi"
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test-resource-limits-init-cpu-too-high
+spec:
+  initContainers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "7"
+          memory: "24Gi"
   containers:
     - name: test
       image: test
@@ -35,6 +62,26 @@ spec:
 ---
 apiVersion: v1
 kind: Pod
+metadata:
+  name: test-resource-limits-init-memory-too-high
+spec:
+  initContainers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "25Gi"
+  containers:
+    - name: test
+      image: test
+      resources:
+        limits:
+          cpu: "6"
+          memory: "24Gi"
+---
+apiVersion: v1
+kind: Pod
 metadata:
   name: test-resource-limits-memory-too-high
 spec:
