# SPDX-FileCopyrightText: 2024 Bundesministerium des Innern und für Heimat, PG ZenDiS "Projektgruppe für Aufbau ZenDiS"
# SPDX-License-Identifier: Apache-2.0
---
apiVersion: "kyverno.io/v1"
kind: "ClusterPolicy"
metadata:
  name: "require-requests-limits"
  annotations:
    policies.kyverno.io/title: "Require resources cpu/memory request and limits."
    policies.kyverno.io/subject: "Pod"
    policies.kyverno.io/description: >-
      As application workloads share cluster resources, it is important to limit resources requested and consumed by
      each Pod.
      It is recommended to require resource requests and limits per Pod, especially for memory and CPU.
      If a Namespace level request or limit is specified, defaults will automatically be applied to each Pod based on
      the LimitRange configuration.
      This policy validates that all containers have specified requests for memory and CPU and a limit for memory.
spec:
  background: true
  rules:
    - match:
        resources:
          kinds:
            - "Pod"
      name: "validate-resources"
      validate:
        message: "CPU and memory resource requests and limits are required."
        pattern:
          spec:
            =(ephemeralContainers):
              - resources:
                  limits:
                    memory: "?*"
                  requests:
                    cpu: "?*"
                    memory: "?*"
            =(initContainers):
              - resources:
                  limits:
                    memory: "?*"
                  requests:
                    cpu: "?*"
                    memory: "?*"
            containers:
              - resources:
                  limits:
                    memory: "?*"
                  requests:
                    cpu: "?*"
                    memory: "?*"
  validationFailureAction: "audit"
...