Skip to content

Add resource limit restriction policy #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 10, 2025
Merged

Add resource limit restriction policy #547

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions kyverno/policies/pods/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ resources:
- privileged.yaml
- privilege-escalation.yaml
- procMount.yaml
- resource-limits.yaml
- Seccomp.yaml
- SELinux.yaml
- sysctls.yaml
51 changes: 51 additions & 0 deletions kyverno/policies/pods/resource-limits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-resource-limits
annotations:
policies.kyverno.io/title: Restrict Resource Limits
policies.kyverno.io/category: Other
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy restricts containers from setting CPU limit above 6 cores and
memory limit above 24Gi.
spec:
validationFailureAction: Enforce
background: true
rules:
- name: cpu
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.object.spec.containers[].resources.limits.cpu || '' }}"
operator: NotEquals
value: ""
validate:
message: "Containers must not set CPU limits over 6 cores."
pattern:
spec:
containers:
- resources:
limits:
cpu: "<=6"
- name: memory
match:
resources:
kinds:
- Pod
preconditions:
all:
- key: "{{ request.object.spec.containers[].resources.limits.memory || '' }}"
operator: NotEquals
value: ""
validate:
message: "Containers must not set memory limits over 24Gi."
pattern:
spec:
containers:
- resources:
limits:
memory: "<=24Gi"
109 changes: 106 additions & 3 deletions kyverno/policies/pods/test/kyverno-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,14 @@ policies:
- ../hostIPC.yaml
- ../hostNetwork.yaml
- ../privilege-escalation.yaml
- ../resource-limits.yaml
resources:
- test-hostIPC.yaml
- test-hostNetwork.yaml
- test-privilege-escalation.yaml
- test-resource-limits.yaml
results:
# Test hostIPC
# Test hostIPC
- policy: disallow-host-ipc-pods
rule: default
resource: test-hostIPC-not-set
Expand All @@ -24,7 +26,7 @@ results:
resource: test-hostIPC-set-to-true
kind: Pod
result: fail
# Test hostNetwork
# Test hostNetwork
- policy: disallow-host-network-pods
rule: default
resource: test-hostNetwork-not-set
Expand All @@ -40,7 +42,7 @@ results:
resource: test-hostNetwork-set-to-true
kind: Pod
result: fail
# Test privilege escalation
# Test privilege escalation
- policy: disallow-privilege-escalation
rule: default
resource: test-privilege-escalation-not-set
Expand All @@ -56,3 +58,104 @@ results:
resource: test-privilege-escalation-set-to-true
kind: Pod
result: fail
# Test Restict Resource Limits
- policy: restrict-resource-limits
rule: cpu
resource: test-resource-limits-not-set
kind: Pod
result: skip
- policy: restrict-resource-limits
rule: memory
resource: test-resource-limits-not-set
kind: Pod
result: skip
- policy: restrict-resource-limits
rule: cpu
resource: test-resource-limits-both-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: memory
resource: test-resource-limits-both-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: cpu
resource: test-resource-limits-cpu-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: memory
resource: test-resource-limits-cpu-too-high
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: cpu
resource: test-resource-limits-memory-too-high
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: memory
resource: test-resource-limits-memory-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: cpu
resource: test-resource-limits-both-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: memory
resource: test-resource-limits-both-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-decimal-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-millicores-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-decimal-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: cpu
resource: test-cpu-limit-millicores-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: memory
resource: test-memory-limit-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: memory
resource: test-memory-limit-mi-ok
kind: Pod
result: pass
- policy: restrict-resource-limits
rule: memory
resource: test-memory-limit-too-high
kind: Pod
result: fail
- policy: restrict-resource-limits
rule: memory
resource: test-memory-limit-mi-too-high
kind: Pod
result: fail
180 changes: 180 additions & 0 deletions kyverno/policies/pods/test/test-resource-limits.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
apiVersion: v1
kind: Pod
metadata:
name: test-resource-limits-not-set
spec:
containers:
- name: test
image: test
---
apiVersion: v1
kind: Pod
metadata:
name: test-resource-limits-both-ok
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "6"
memory: "24Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-resource-limits-cpu-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "7"
memory: "24Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-resource-limits-memory-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "6"
memory: "25Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-resource-limits-both-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "7"
memory: "25Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-ok
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "6"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-decimal-ok
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "6.0"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-millicores-ok
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "6000m"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "7"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-decimal-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "7.0"
---
apiVersion: v1
kind: Pod
metadata:
name: test-cpu-limit-millicores-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
cpu: "7000m"
---
apiVersion: v1
kind: Pod
metadata:
name: test-memory-limit-ok
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "24Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-memory-limit-mi-ok
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "24000Mi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-memory-limit-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "25Gi"
---
apiVersion: v1
kind: Pod
metadata:
name: test-memory-limit-mi-too-high
spec:
containers:
- name: test
image: test
resources:
limits:
memory: "25000Mi"
Loading