policies/opa/classic/configmaps/7-deployment-resources.yaml (62 lines of code) (raw):
kind: ConfigMap
apiVersion: v1
metadata:
name: deployment-resources
namespace: opa
labels:
app: opa
owner: jimmy
openpolicyagent.org/policy: rego
data:
main: |
package kubernetes.admission
import data.lib.k8s.helpers as helpers
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources
msg = sprintf("%q: Valid resources element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.limits
msg = sprintf("%q: Valid resources.limits element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.limits.cpu
msg = sprintf("%q: Valid resources.limits.cpu element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.limits.memory
msg = sprintf("%q: Valid resources.limits.memory element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.requests
msg = sprintf("%q: Valid resources.requests element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.requests.cpu
msg = sprintf("%q: Valid resources.requests.cpu element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}
deny[msg] {
helpers.request_kind = "Deployment"
helpers.allowed_operations[helpers.request_operation]
container = helpers.deployment_containers[_]
not container.resources.requests.memory
msg = sprintf("%q: Valid resources.requests.memory element not found in %q container. Resource ID (ns/name/kind): %q", [helpers.deployment_error,container.name,helpers.request_id])
}