kubewarden-controller icon indicating copy to clipboard operation
kubewarden-controller copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

New policy: `emptyDir` volume size constraint

Open flavio opened this issue 1 year ago • 5 comments

Description

Requires that any emptyDir volumes specify a sizeLimit.

Optionally, a maxSizeLimit parameter can be supplied in the constraint to specify a maximum allowable size limit. Optionally, a defaultSizeLimit parameter can be supplied to specify the default value to add to a emptyDir definition when it doesn't have any value specified.

Configuration

The policy will have the following configuration format:

# optional - the maximum size a user can request
maxSizeLimit: "1G"

# optional - the value to be used when the user didn't specify anything
defaultSizeLimit: "200M"

Important: the size must be expressed using the quantity definitions of Kubernetes.

The policy should reject a configuration that makes use of quantities that are not known to Kubernetes:

  • 100M, 100Mi: accepted
  • 100MB, 100Mb: rejected

More details here.

Possible scenarios

This table summarizes all the possible scenarios for this policy:

maxSizeLimit defaultSizeLimit Outcome
100M - Creation rejected if the size is missing or if it's more than 100M
- - Creation rejected if the size is missing. Any value provided by the user is accepted
- 100M Any value provided by the user is accepted. If no value is provided, the policy mutates the resource and changes the emptyDir to have a maximum size of 100M
100M 50M Creation is rejected is the requested size is > 100M; otherwise the value provided by the user is accepted. If no value is provided, the policy will set a limit of 50M
100M 200M Configuration validation failure: the default size limit cannot be more than the maximum allowed size

Notes

This is going to be a mutating policy

flavio avatar Dec 14 '23 08:12 flavio

@Martin-Weiss, @raif-ahmed can you check the description of the policy to ensure it matches your requirements? I've added the mutation bits to the policy requirements, I think it would be nice to have it. If you don't like it we can drop it

flavio avatar Dec 14 '23 08:12 flavio

@flavio after careful reading I think it's a good idea to have this mutation default and max.

raif-ahmed avatar Dec 14 '23 12:12 raif-ahmed

@flavio - I am not sure - but would it be useful to have this supporting requests as well? (Does having limits without requests make sense? I am not sure if limits are taken into account during scheduling as well..)

spec.containers[].resources.requests.ephemeral-storage

https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#setting-requests-and-limits-for-local-ephemeral-storage

Martin-Weiss avatar Dec 15 '23 13:12 Martin-Weiss

@Martin-Weiss, good point. I would however add this check to the https://github.com/kubewarden/kubewarden-controller/issues/590 policy. What do you think about this idea?

flavio avatar Dec 15 '23 16:12 flavio

@flavio - yeah - I guess CPU / memory / filesystem requests and limits could be in one combined policy.

Martin-Weiss avatar Dec 18 '23 10:12 Martin-Weiss