Resource quotas
Overview
We extended JSON Schema with the keywords resourceMinimum
and resourceMaximum
to help create custom rules for comparing resource quotas strings (CPU and memory) like 1000m and 1G. Here's an example check for when memory and CPU fall within a certain range.
Let's say we want to make sure that Kubernetes configs always have a CPU limit within the range of 250m-500m. This is how the custom rule to check that would look:
customRules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
name: Ensure each container has a configured CPU limit within range [CUSTOM RULE]
defaultMessageOnFailure: CPU limit value should be within the accepted boundaries (250m-500m)
schema:
properties:
spec:
properties:
containers:
items:
properties:
resources:
properties:
limits:
properties:
cpu:
resourceMinimum: 250m
resourceMaximum: 500m
And this is how the policy would look:
apiVersion: v1
policies:
- name: Default
isDefault: true
rules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
messageOnFailure: CPU limit value should be within the accepted boundaries (250m-500m)
# - name: staging
# rules:
# - identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
# messageOnFailure: This message will override the rule's `defaultMessageOnFailure` property
customRules:
- identifier: CUSTOM_CONTAINERS_INCORRECT_CPU_LIMIT_VALUE
name: Ensure each container has a configured CPU limit within range [CUSTOM RULE]
defaultMessageOnFailure: CPU limit value should be within the accepted boundaries (250m-600m)
schema:
properties:
spec:
properties:
containers:
items:
properties:
resources:
properties:
limits:
properties:
cpu:
resourceMinimum: 250m
resourceMaximum: 500m
See it in action
Let's test this manifest after publishing the policy.
apiVersion: v1
kind: Pod
metadata:
name: frontend
spec:
containers:
- name: cpu-demo
image: images.my-company.example/app:v4
resources:
requests:
memory: '64Mi'
cpu: '250m'
limits:
memory: '128Mi'
cpu: '1G'
This manifest will fail because it has a container (cpu-demo) with a CPU limit larger than 500m:
Important notes
resourceMinimum
andresourceMaximum
keywords will translate and compare input from different resource quotas, so if CPU will be "0.6", the rule will still fail (600m=0.6).The rule in this example will not fail if the property path
resources.limits.cpu
doesn't exist. If you want the policy check to fail in a case like that, you need to either add our built-in rule to this policy or add it to the rule logic by using `required`.The above rule won't work if the property containers is nested under
spec.template.spec.containers[]
. If you want the rule to support the property path**.spec.containers[].resources.limits.cpu
, find direction for its implementation here.