Skip to content

Commit

Permalink
f
Browse files Browse the repository at this point in the history
Signed-off-by: Xinhe Li <[email protected]>
  • Loading branch information
fseldow committed Dec 5, 2024
1 parent 49878ed commit 7b18fae
Show file tree
Hide file tree
Showing 11 changed files with 505 additions and 2 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
version: 1.1.0
name: k8scontainerlimits
displayName: Container Limits
createdAt: "2024-12-05T08:42:14Z"
description: |-
Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
digest: 4e4c84cd3532a7a0a30b3a823fb6a5f572d8b63f847f5fa5c98e8697353cb5d4
license: Apache-2.0
homeURL: https://open-policy-agent.github.io/gatekeeper-library/website/containerlimits
keywords:
- gatekeeper
- open-policy-agent
- policies
readme: |-
# Container Limits
Requires containers to have memory and CPU limits set and constrains limits to be within the specified maximum values.
https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
install: |-
### Usage
```shell
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper-library/master/artifacthub/library/general/containerlimits/1.1.0/template.yaml
```
provider:
name: Gatekeeper Library
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
resources:
- template.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "-1"
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
memory: "2Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "200m"
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "2Gi"
29 changes: 29 additions & 0 deletions artifacthub/library/general/containerlimits/1.1.0/suite.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
kind: Suite
apiVersion: test.gatekeeper.sh/v1alpha1
metadata:
name: containerlimits
tests:
- name: container-limits
template: template.yaml
constraint: samples/container-must-have-limits/constraint.yaml
cases:
- name: example-allowed
object: samples/container-must-have-limits/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/container-must-have-limits/example_disallowed.yaml
assertions:
- violations: yes
- name: container-limits-ignore-cpu
template: template.yaml
constraint: samples/container-ignore-cpu-limits/constraint.yaml
cases:
- name: example-allowed
object: samples/container-ignore-cpu-limits/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/container-ignore-cpu-limits/example_disallowed.yaml
assertions:
- violations: yes
Loading

0 comments on commit 7b18fae

Please sign in to comment.