更新时间:2024-02-01 GMT+08:00

k8srequiredresources

基本信息

  • 策略类型:合规
  • 推荐级别:L1
  • 生效资源类型:Pod
  • 参数:
    exemptImages:字符串数组
    limits
      cpu
      memory
    requests
      cpu
      memory

作用

约束容器资源使用。

策略实例示例

必须配置内存的Limit,CPU和内存的Request。

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
  name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
  parameters:
    limits:
      - memory
    requests:
      - cpu
      - memory

符合策略实例的资源定义

已经配置内存的Limit,CPU和内存的Request,符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: opa-allowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          cpu: "100m"
          memory: "1Gi"
        requests:
          cpu: "100m"
          memory: "1Gi"

不符合策略实例的资源定义

没有配置内存的Limit,CPU和内存的Request,不符合策略实例。

apiVersion: v1
kind: Pod
metadata:
  name: opa-disallowed
  labels:
    owner: me.agilebank.demo
spec:
  containers:
    - name: opa
      image: openpolicyagent/opa:0.9.2
      args:
        - "run"
        - "--server"
        - "--addr=localhost:8080"
      resources:
        limits:
          memory: "2Gi"k8sexternalips