Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Policy Center/ Policy Definition Library/ k8scontainerratios
Updated on 2025-01-02 GMT+08:00
View PDF
Share

k8scontainerratios

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: Pod
  • Parameter

    ratio: String

    cpuRatio: String

    exemptImages: String array

Function

This policy sets a maximum ratio for container resource limits to requests.

Policy Example

The maximum ratio of container resource limits to requests is 1, and the maximum ratio of the CPU limit to the CPU request is 10.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRatios
metadata:
  name: container-must-meet-memory-and-cpu-ratio
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    ratio: "1"
cpuRatio: "10"

Resource Definition That Complies with the Policy

The ratio of the CPU limit to the CPU request is 4 and the ratio of the memory limit to the memory request is 1, which comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          cpu: "4"
          memory: "2Gi"
        requests:
          cpu: "1"
          memory: "2Gi"

Resource Definition That Does Not Comply with the Policy

Example 1: The ratio of the CPU limit to the CPU request is 40, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          cpu: "4"
          memory: "2Gi"
        requests:
          cpu: "100m"
          memory: "2Gi"

Example 2: The ratio of the memory limit to the memory request is about 20, which does not comply with the policy.

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          cpu: "800m"
          memory: "2Gi"
        requests:
          cpu: "100m"
          memory: "100Mi"