gatekeeper-library icon indicating copy to clipboard operation
gatekeeper-library copied to clipboard

Published 20 hours ago • verified publisher icon open-policy-agent

feat(general): Add volumeresources emptyDir sizelimit

Open dongjiang1989 opened this issue 10 months ago • 8 comments

What this PR does / why we need it: feat(general): Add volumeresources emptyDir sizelimit.

one node in the cluster was emptyDirevicted because the log volume not set a capacity limit sizeLimit.

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged): Fixes #

Special notes for your reviewer:

dongjiang1989 avatar Apr 24 '24 13:04 dongjiang1989

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

JaydipGabani avatar Apr 24 '24 22:04 JaydipGabani

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

Thanks. @JaydipGabani Fixed. Please re-check

dongjiang1989 avatar Apr 25 '24 01:04 dongjiang1989

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

JaydipGabani avatar Jun 12 '24 17:06 JaydipGabani

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

Thanks @JaydipGabani . PTAL re-check

Keep the policy applicable to pods done.

dongjiang1989 avatar Jun 17 '24 07:06 dongjiang1989

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

JaydipGabani avatar Jun 17 '24 17:06 JaydipGabani

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

@JaydipGabani Thanks for your review. Done.

dongjiang1989 avatar Jun 18 '24 07:06 dongjiang1989

@maxsmythe @ritazh @sozercan PTAL.

JaydipGabani avatar Jun 18 '24 17:06 JaydipGabani

Thanks for the PR!

ritazh avatar Jun 27 '24 14:06 ritazh