add: policies, resources and new actions

Tech-Preta · Jan 24, 2024 · 8927ae8 · 8927ae8
1 parent cac091e
commit 8927ae8
Show file tree

Hide file tree

Showing 7 changed files with 94 additions and 174 deletions.
diff --git a/.github/workflows/kyverno-test-policy.yaml b/.github/workflows/kyverno-test-policy.yaml
@@ -0,0 +1,29 @@
+name: kyverno-policy-test
+# This workflow is triggered on push to any branch and pull request to the main branch.
+# It runs on ubuntu-latest.
+# It uses the community action kyverno/action-install-cli@v0.2.0
+# It runs the following steps:
+on:
+    push:
+      branches:
+        - '*'
+    pull_request:
+      branches:
+        - main
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+      - name: Install Kyverno CLI
+        uses: kyverno/action-install-cli@v0.2.0
+        with:
+          release: 'v1.11.0'
+      - name: Check install
+        run: kyverno version
+      - name: Test new resources against existing policies
+        run: kyverno apply policies/ -r resources/
+
diff --git a/.github/workflows/kyverno.yaml b/.github/workflows/kyverno.yaml
@@ -1,27 +1,25 @@
-name: kyverno-policy-test
+name: Kyverno Policy Check
+
 on:
-    push:
-      branches:
-        - '*'
-    pull_request:
-      branches:
-        - main
-
+  push:
+    branches:
+      - main
+
 jobs:
-  test:
+  test-kyverno-policies:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
+
     steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-      - name: Install Kyverno CLI
-        uses: kyverno/action-install-cli@v0.2.0
-        with:
-          release: 'v1.11.0'
-      - name: Check install
-        run: kyverno version
-      - name: Test new resources against existing policies
-        run: kyverno apply policies/ -r resources/
-      - name: Test pre-defined cases
-        run: kyverno test tests/
+    - name: Checkout Repository
+      uses: actions/checkout@v2
+
+    - name: Validate YAML Indentation
+      run: |
+        if ! yamllint policies/; then
+          echo "YAML indentation validation failed."
+          exit 1
+        fi
+
+    - name: Simulate Apply Kyverno Policy
+      run: |
+        kubectl apply -f policies/require-resources-limits.yml --dry-run=client -o yaml
diff --git a/policies/require-resources-limits.yml b/policies/require-resources-limits.yml
@@ -1,22 +1,38 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: require-resources-limits
+  name: require-requests-limits
+  annotations:
+    policies.kyverno.io/title: Require Limits and Requests
+    policies.kyverno.io/category: Best Practices, EKS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/description: >-
+      As application workloads share cluster resources, it is important to limit resources
+      requested and consumed by each Pod. It is recommended to require resource requests and
+      limits per Pod, especially for memory and CPU. If a Namespace level request or limit is specified,
+      defaults will automatically be applied to each Pod based on the LimitRange configuration.
+      This policy validates that all containers have something specified for memory and CPU
+      requests and memory limits.
 spec:
-  validationFailureAction: Enforce
+  validationFailureAction: audit
+  background: true
   rules:
-    - name: validate-resources-limits
+    - name: validate-resources
       match:
-        resources:
-          kinds:
-            - Pod
+        any:
+          - resources:
+              kinds:
+                - Pod
       validate:
-        message: "Pod {{request.object.metadata.name}} does not have resource limits set"
+        message: "CPU and memory resource requests and limits are required."
         pattern:
           spec:
             containers:
-              - name: "*"
-                resources:
-                  limits:
+              - resources:
+                  requests:
                     memory: "?*"
                     cpu: "?*"
+                  limits:
+                    memory: "?*"
diff --git a/resources/require-resources-limits.yml b/resources/require-resources-limits.yml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: nginx
+  name: nginx
+  namespace: default
+spec:
+  containers:
+    - image: nginx
+      name: nginx
+      resources:
+        requests:
+          memory: "?*"
+          cpu: "?*"
+        limits:
+          memory: "?*"
+          cpu: "?*"
diff --git a/tests/kyverno-test.yaml b/tests/kyverno-test.yaml
diff --git a/tests/require_labels.yaml b/tests/require_labels.yaml
diff --git a/tests/resource.yaml b/tests/resource.yaml