更新时间:2024-02-01 GMT+08:00
k8srequiredresources
基本信息
- 策略类型:合规
- 推荐级别:L1
- 生效资源类型:Pod
- 参数:
exemptImages:字符串数组 limits cpu memory requests cpu memory
作用
约束容器资源使用。
策略实例示例
必须配置内存的Limit,CPU和内存的Request。
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRequiredResources
metadata:
name: container-must-have-cpu-requests-memory-limits-and-requests
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
limits:
- memory
requests:
- cpu
- memory
符合策略实例的资源定义
已经配置内存的Limit,CPU和内存的Request,符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: opa-allowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
cpu: "100m"
memory: "1Gi"
requests:
cpu: "100m"
memory: "1Gi"
不符合策略实例的资源定义
没有配置内存的Limit,CPU和内存的Request,不符合策略实例。
apiVersion: v1
kind: Pod
metadata:
name: opa-disallowed
labels:
owner: me.agilebank.demo
spec:
containers:
- name: opa
image: openpolicyagent/opa:0.9.2
args:
- "run"
- "--server"
- "--addr=localhost:8080"
resources:
limits:
memory: "2Gi"k8sexternalips
父主题: 使用策略定义库
