diff --git a/kyverno/policies/pods/resource-limits.yaml b/kyverno/policies/pods/resource-limits.yaml index c8e7bab8..a6f478ad 100644 --- a/kyverno/policies/pods/resource-limits.yaml +++ b/kyverno/policies/pods/resource-limits.yaml @@ -18,34 +18,42 @@ spec: resources: kinds: - Pod - preconditions: - all: - - key: "{{ request.object.spec.containers[].resources.limits.cpu || '' }}" - operator: NotEquals - value: "" validate: message: "Containers must not set CPU limits over 6 cores." - pattern: - spec: - containers: - - resources: - limits: - cpu: "<=6" + foreach: + - list: "request.object.spec.initContainers" + deny: + conditions: + any: + - key: '{{ element.resources.limits.cpu || "" }}' + operator: GreaterThan + value: "6" + - list: "request.object.spec.containers" + deny: + conditions: + any: + - key: '{{ element.resources.limits.cpu || "" }}' + operator: GreaterThan + value: "6" - name: memory match: resources: kinds: - Pod - preconditions: - all: - - key: "{{ request.object.spec.containers[].resources.limits.memory || '' }}" - operator: NotEquals - value: "" validate: message: "Containers must not set memory limits over 24Gi." - pattern: - spec: - containers: - - resources: - limits: - memory: "<=24Gi" + foreach: + - list: "request.object.spec.initContainers" + deny: + conditions: + any: + - key: '{{ element.resources.limits.memory || "" }}' + operator: GreaterThan + value: "24Gi" + - list: "request.object.spec.containers" + deny: + conditions: + any: + - key: '{{ element.resources.limits.memory || "" }}' + operator: GreaterThan + value: "24Gi" diff --git a/kyverno/policies/pods/test/kyverno-test.yaml b/kyverno/policies/pods/test/kyverno-test.yaml index 2c13447c..94e1dac3 100644 --- a/kyverno/policies/pods/test/kyverno-test.yaml +++ b/kyverno/policies/pods/test/kyverno-test.yaml @@ -63,22 +63,27 @@ results: rule: cpu resource: test-resource-limits-not-set kind: Pod - result: skip + result: pass - policy: restrict-resource-limits rule: memory resource: test-resource-limits-not-set kind: Pod - result: skip + result: pass - policy: restrict-resource-limits rule: cpu - resource: test-resource-limits-both-ok + resource: test-resource-limits-ok kind: Pod result: pass - policy: restrict-resource-limits rule: memory - resource: test-resource-limits-both-ok + resource: test-resource-limits-ok kind: Pod result: pass + - policy: restrict-resource-limits + rule: cpu + resource: test-resource-limits-init-cpu-too-high + kind: Pod + result: fail - policy: restrict-resource-limits rule: cpu resource: test-resource-limits-cpu-too-high @@ -94,6 +99,11 @@ results: resource: test-resource-limits-memory-too-high kind: Pod result: pass + - policy: restrict-resource-limits + rule: memory + resource: test-resource-limits-init-memory-too-high + kind: Pod + result: fail - policy: restrict-resource-limits rule: memory resource: test-resource-limits-memory-too-high diff --git a/kyverno/policies/pods/test/test-resource-limits.yaml b/kyverno/policies/pods/test/test-resource-limits.yaml index e30bc84c..bc18ed44 100644 --- a/kyverno/policies/pods/test/test-resource-limits.yaml +++ b/kyverno/policies/pods/test/test-resource-limits.yaml @@ -10,8 +10,35 @@ spec: apiVersion: v1 kind: Pod metadata: - name: test-resource-limits-both-ok + name: test-resource-limits-ok spec: + initContainers: + - name: test + image: test + resources: + limits: + cpu: "6" + memory: "24Gi" + containers: + - name: test + image: test + resources: + limits: + cpu: "6" + memory: "24Gi" +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-resource-limits-init-cpu-too-high +spec: + initContainers: + - name: test + image: test + resources: + limits: + cpu: "7" + memory: "24Gi" containers: - name: test image: test @@ -35,6 +62,26 @@ spec: --- apiVersion: v1 kind: Pod +metadata: + name: test-resource-limits-init-memory-too-high +spec: + initContainers: + - name: test + image: test + resources: + limits: + cpu: "6" + memory: "25Gi" + containers: + - name: test + image: test + resources: + limits: + cpu: "6" + memory: "24Gi" +--- +apiVersion: v1 +kind: Pod metadata: name: test-resource-limits-memory-too-high spec: