forked from RamyasreeChakka/RegoPolicy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcontainer-resource-defined.rego
30 lines (28 loc) · 1.18 KB
/
container-resource-defined.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
package admission
import data.k8s.matches
###############################################################################
#
# Policy : Container resource limits defined
# e.g. should have CPU memory limits
#
###############################################################################
deny[{
"id": "container-resource-defined", # identifies type of violation
"resource": {
"kind": "pods", # identifies kind of resource
"namespace": namespace, # identifies namespace of resource
"name": name # identifies name of resource
},
"resolution": {"message": msg}, # provides human-readable message to display
}] {
matches[["pods", namespace, name, matched_pod]]
container = matched_pod.spec.containers[_]
not resources_complete(container.resources)
msg := sprintf("resource limits are not defined for container %q", [container.name])
}
resources_complete(resources) = true {
not resources == {}
not resources.limits == {}
resources.limits["memory"]
resources.limits["cpu"]
}