mirror of
https://github.com/ghndrx/homelab-gitops.git
synced 2026-02-10 06:44:57 +00:00
3752fd0386
- Kyverno 3.3.4 via Helm (HA config: 3 admission, 2 background replicas) - Validation policies: - disallow-privileged-containers (Enforce) - require-resource-limits (Enforce) - require-labels (Audit - standard k8s labels) - require-run-as-non-root (Audit) - disallow-latest-tag (Enforce - GitOps reproducibility) - Mutating policy: - add-default-securitycontext (seccomp, drop caps, read-only fs) - System namespaces excluded (kube-system, kyverno, istio-system) - Auto-discovered by ArgoCD ApplicationSet Reference: CIS Kubernetes Benchmark, Pod Security Standards
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
# infrastructure/kyverno/policies/require-resource-limits.yaml
|
|
# Ensures all pods have resource limits defined
|
|
# Prevents resource exhaustion and enables proper scheduling
|
|
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: require-resource-limits
|
|
annotations:
|
|
policies.kyverno.io/title: Require Resource Limits
|
|
policies.kyverno.io/category: Best Practices
|
|
policies.kyverno.io/severity: medium
|
|
policies.kyverno.io/subject: Pod
|
|
policies.kyverno.io/description: >-
|
|
Resource limits prevent a single workload from consuming excessive
|
|
cluster resources. This policy requires all containers to define
|
|
CPU and memory limits.
|
|
spec:
|
|
validationFailureAction: Enforce
|
|
background: true
|
|
rules:
|
|
- name: validate-resources
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Pod
|
|
exclude:
|
|
any:
|
|
- resources:
|
|
namespaces:
|
|
- kube-system
|
|
- kyverno
|
|
validate:
|
|
message: "CPU and memory limits are required. Add resources.limits.cpu and resources.limits.memory."
|
|
pattern:
|
|
spec:
|
|
containers:
|
|
- resources:
|
|
limits:
|
|
memory: "?*"
|
|
cpu: "?*"
|