Skip to content

Commit

Permalink
containerlimits support to skip cpu limit validation
Browse files Browse the repository at this point in the history
Signed-off-by: Xinhe Li <[email protected]>
  • Loading branch information
fseldow committed Dec 5, 2024
1 parent 1de50fa commit fc89cf3
Show file tree
Hide file tree
Showing 8 changed files with 68 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerLimits
metadata:
name: container-must-have-limits
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
cpu: "-1"
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
memory: "1Gi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
memory: "2Gi"
12 changes: 12 additions & 0 deletions library/general/containerlimits/suite.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,15 @@ tests:
object: samples/container-must-have-limits/example_disallowed.yaml
assertions:
- violations: yes
- name: container-limits-ignore-cpu
template: template.yaml
constraint: samples/container-ignore-cpu-limits/constraint.yaml
cases:
- name: example-allowed
object: samples/container-ignore-cpu-limits/example_allowed.yaml
assertions:
- violations: no
- name: example-disallowed
object: samples/container-ignore-cpu-limits/example_disallowed.yaml
assertions:
- violations: yes
6 changes: 4 additions & 2 deletions library/general/containerlimits/template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8scontainerlimits
annotations:
metadata.gatekeeper.sh/title: "Container Limits"
metadata.gatekeeper.sh/version: 1.0.1
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Requires containers to have memory and CPU limits set and constrains
limits to be within the specified maximum values.
Expand All @@ -31,7 +31,7 @@ spec:
items:
type: string
cpu:
description: "The maximum allowed cpu limit on a Pod, exclusive."
description: "The maximum allowed cpu limit on a Pod, exclusive. Set to -1 to disable."
type: string
memory:
description: "The maximum allowed memory limit on a Pod, exclusive."
Expand Down Expand Up @@ -207,6 +207,7 @@ spec:
}
general_violation[{"msg": msg, "field": field}] {
input.parameters.cpu != "-1"
container := input.review.object.spec[field][_]
not is_exempt(container)
missing(container.resources.limits, "cpu")
Expand All @@ -226,6 +227,7 @@ spec:
cpu_orig := container.resources.limits.cpu
cpu := canonify_cpu(cpu_orig)
max_cpu_orig := input.parameters.cpu
max_cpu_orig != "-1"
max_cpu := canonify_cpu(max_cpu_orig)
cpu > max_cpu
msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])
Expand Down
4 changes: 2 additions & 2 deletions src/general/containerlimits/constraint.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
name: k8scontainerlimits
annotations:
metadata.gatekeeper.sh/title: "Container Limits"
metadata.gatekeeper.sh/version: 1.0.1
metadata.gatekeeper.sh/version: 1.1.0
description: >-
Requires containers to have memory and CPU limits set and constrains
limits to be within the specified maximum values.
Expand All @@ -31,7 +31,7 @@ spec:
items:
type: string
cpu:
description: "The maximum allowed cpu limit on a Pod, exclusive."
description: "The maximum allowed cpu limit on a Pod, exclusive. Set to -1 to disable."
type: string
memory:
description: "The maximum allowed memory limit on a Pod, exclusive."
Expand Down
2 changes: 2 additions & 0 deletions src/general/containerlimits/src.rego
Original file line number Diff line number Diff line change
Expand Up @@ -166,6 +166,7 @@ general_violation[{"msg": msg, "field": field}] {
}

general_violation[{"msg": msg, "field": field}] {
input.parameters.cpu != "-1"
container := input.review.object.spec[field][_]
not is_exempt(container)
missing(container.resources.limits, "cpu")
Expand All @@ -185,6 +186,7 @@ general_violation[{"msg": msg, "field": field}] {
cpu_orig := container.resources.limits.cpu
cpu := canonify_cpu(cpu_orig)
max_cpu_orig := input.parameters.cpu
max_cpu_orig != "-1"
max_cpu := canonify_cpu(max_cpu_orig)
cpu > max_cpu
msg := sprintf("container <%v> cpu limit <%v> is higher than the maximum allowed of <%v>", [container.name, cpu_orig, max_cpu_orig])
Expand Down
7 changes: 6 additions & 1 deletion src/general/containerlimits/src_test.rego
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,15 @@ test_no_parse_cpu {
results := violation with input as inp
count(results) == 1
}
test_no_parse_cpu_skip {
inp := {"review": review([ctr("a", "1", "212asdf")]), "parameters": {"memory": "2", "cpu": "-1"}}
results := violation with input as inp
count(results) == 0
}
test_no_parse_ram {
inp := {"review": review([ctr("a", "1asdf", "2")]), "parameters": {"memory": "2", "cpu": "4"}}
results := violation with input as inp
count(results) == 1
count(results) == 0
}
test_1_bad_cpu {
inp := {"review": review([ctr("a", "1", "2"), ctr("b", "1", "8")]), "parameters": {"memory": "2", "cpu": "4"}}
Expand Down

0 comments on commit fc89cf3

Please sign in to comment.