Updated on 2024-02-01 GMT+08:00

k8scontainerrequests

Basic Information

  • Policy type: compliance
  • Recommended level: L1
  • Effective resource type: Pod
  • Parameter

    cpu: String

    memory: String

    exemptImages: String array

Function

This policy requires the CPU and memory Request be set and less than the configured maximum value.

Policy Example

This policy instance shows the Request configuration of CPU and memory.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sContainerRequests
metadata:
  name: container-must-have-requests
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    cpu: "200m"
    memory: "1Gi"

Resource Definition That Complies with the Policy

Request values of the CPU and memory are less than the configured maximum value, which complies with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        requests:
          cpu: "100m"
          memory: "1Gi"

Resource Definition That Does Not Comply with the Policy

The memory Request is greater than the maximum value, which does not comply with the policy instance.

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        requests:
          cpu: "100m"
          memory: "2Gi"