Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Policy Definition Library/ k8srequiredresources
Updated on 2024-02-01 GMT+08:00
View PDF
Share

k8srequiredresources

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: Pod
  • Parameter 
    exemptImages: String array
limits
  cpu
  memory
requests
  cpu
  memory

Function

This policy restricts container resource usage.

Policy Example

The memory Limit, CPU, and memory Request must be configured.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    limits:
      - memory
    requests:
      - cpu
      - memory

Resource Definition That Complies with the Policy

The configured memory Limit, CPU, and memory Request comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          cpu: "100m"
          memory: "1Gi"
        requests:
          cpu: "100m"
          memory: "1Gi"

Resource Definition That Does Not Comply with the Policy

The memory Limit, CPU, and memory Request are not configured, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          memory: "2Gi"k8sexternalips