search

open-policy-agent / gatekeeper-library

📚 The OPA Gatekeeper policy library
https://open-policy-agent.github.io/gatekeeper-library
Apache License 2.0
617 stars 316 forks source link

feat(general): Add volumeresources emptyDir sizelimit #514

Open dongjiang1989 opened 2 months ago

dongjiang1989 commented 2 months ago

What this PR does / why we need it: feat(general): Add volumeresources emptyDir sizelimit.

one node in the cluster was emptyDirevicted because the log volume not set a capacity limit sizeLimit.

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged): Fixes #

Special notes for your reviewer:

JaydipGabani commented 2 months ago

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

dongjiang1989 commented 2 months ago

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

Thanks. @JaydipGabani Fixed. Please re-check

JaydipGabani commented 3 weeks ago

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

dongjiang1989 commented 3 weeks ago

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

Thanks @JaydipGabani . PTAL re-check

Keep the policy applicable to pods done.

JaydipGabani commented 2 weeks ago

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

dongjiang1989 commented 2 weeks ago

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

@JaydipGabani Thanks for your review. Done.

JaydipGabani commented 2 weeks ago

@maxsmythe @ritazh @sozercan PTAL.

ritazh commented 1 week ago

Thanks for the PR!