From 6ddcce3c7243119f69ccc420ab1f8b49fff12ea0 Mon Sep 17 00:00:00 2001 From: Chandan-DK Date: Sun, 7 Apr 2024 11:15:15 +0000 Subject: [PATCH] convert memory-requests-equal-limits to cel Signed-off-by: Chandan-DK --- .../artifacthub-pkg.yml | 15 ++++++---- .../memory-requests-equal-limits.yaml | 28 +++++++++++-------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml index 0eab5d3b2..c50a6c04d 100644 --- a/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml +++ b/other-cel/memory-requests-equal-limits/artifacthub-pkg.yml @@ -1,21 +1,24 @@ -name: memory-requests-equal-limits +name: memory-requests-equal-limits-cel version: 1.0.0 -displayName: Memory Requests Equal Limits -createdAt: "2023-04-10T20:30:04.000Z" +displayName: Memory Requests Equal Limits in CEL expressions description: >- Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. install: |- ```shell - kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/memory-requests-equal-limits/memory-requests-equal-limits.yaml + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml ``` keywords: - kyverno - Sample + - CEL Expressions readme: | Pods which have memory limits equal to requests are given a QoS class of Guaranteed which is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ annotations: - kyverno/category: "Sample" + kyverno/category: "Sample in CEL" + kyverno/kubernetesVersion: "1.26-1.27" kyverno/subject: "Pod" -digest: 634be7d8371928ed519a4576f84751fd423ae3d3e6e9146bb2280910dc8954c5 +digest: 176dc9b492d3eee687bc89711d3414f13bf00548b85781e71ccaacd12bbf6f1a +createdAt: "2024-04-07T11:13:21Z" + diff --git a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml index 9afeb8f06..82b23257b 100644 --- a/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml +++ b/other-cel/memory-requests-equal-limits/memory-requests-equal-limits.yaml @@ -3,17 +3,18 @@ kind: ClusterPolicy metadata: name: memory-requests-equal-limits annotations: - policies.kyverno.io/title: Memory Requests Equal Limits - policies.kyverno.io/category: Sample + policies.kyverno.io/title: Memory Requests Equal Limits in CEL expressions + policies.kyverno.io/category: Sample in CEL policies.kyverno.io/severity: medium policies.kyverno.io/subject: Pod - policies.kyverno.io/minversion: 1.6.0 + policies.kyverno.io/minversion: 1.11.0 + kyverno.io/kubernetes-version: "1.26-1.27" policies.kyverno.io/description: >- Pods which have memory limits equal to requests could be given a QoS class of Guaranteed if they also set CPU limits equal to requests. Guaranteed is the highest schedulable class. This policy checks that all containers in a given Pod have memory requests equal to limits. spec: - validationFailureAction: audit + validationFailureAction: Audit background: false rules: - name: memory-requests-equal-limits @@ -23,10 +24,15 @@ spec: kinds: - Pod validate: - message: "resources.requests.memory must be equal to resources.limits.memory" - deny: - conditions: - any: - - key: "{{ request.object.spec.containers[?resources.requests.memory!=resources.limits.memory] | length(@) }}" - operator: NotEquals - value: 0 + cel: + variables: + - name: containersWithResources + expression: object.spec.containers.filter(container, has(container.resources)) + expressions: + - expression: >- + variables.containersWithResources.all(container, + !has(container.resources.requests) || + !has(container.resources.requests.memory) || + container.resources.requests.memory == container.resources.?limits.?memory.orValue('-1')) + message: "resources.requests.memory must be equal to resources.limits.memory" +