Resource quotas

Overview

We extended JSON Schema with the keywords resourceMinimum and resourceMaximum to help create custom rules for comparing resource quotas strings (CPU and memory) like 1000m and 1G. Here's an example check for when memory and CPU fall within a certain range.

Let's say we want to make sure that Kubernetes configs always have a CPU limit within the range of 250m-500m. This is how the custom rule to check that would look:

YAML

And this is how the policy would look:

policies.yaml

See it in action

Let's test this manifest after publishing the policy.

k8s-demo.yaml

This manifest will fail because it has a container (cpu-demo) with a CPU limit larger than 500m:

Document image

Important notes

  • resourceMinimum and resourceMaximum keywords will translate and compare input from different resource quotas, so if CPU will be "0.6", the rule will still fail (600m=0.6).
  • The rule in this example will not fail if the property path resources.limits.cpu doesn't exist. If you want the policy check to fail in a case like that, you need to either add our built-in rule to this policy or add it to the rule logic by using `required`.
  • The above rule won't work if the property containers is nested under spec.template.spec.containers[]. If you want the rule to support the property path **.spec.containers[].resources.limits.cpu, find direction for its implementation here.