nirmata · anusha94 · Mar 5, 2024 · Mar 1, 2024 · Mar 1, 2024 · Mar 1, 2024
diff --git a/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/bad-resource.yaml b/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/bad-resource.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: bad-resource-quota
+  namespace: testing-ns
+spec:
+  hard:
+    cpu: "1"
+    memory: "1Gi"
diff --git a/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-enforce-assert.yaml b/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-enforce-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-namespace-quota
+spec:
+  validationFailureAction: Enforce
diff --git a/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-policy-assert.yaml b/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-policy-assert.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-namespace-quota
+status:
+  ready: true
diff --git a/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-test.yaml b/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,35 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: require-namespace-quota
+spec:
+  steps:
+  - name: test-require-namespace-quota
+    try:
+    - apply:
+        file: ../require-namespace-quota.yaml
+    - assert:
+        file: chainsaw-policy-assert.yaml
+    - apply:
+        file: good-resource.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: require-namespace-quota
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-enforce-assert.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: bad-resource.yaml
+    - delete:
+        ref:
+          apiVersion: v1
+          kind: namespace
+          name: testing-ns
diff --git a/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/good-resource.yaml b/multitenancy-benchmarks/require-namespace-quota/.chainsaw-test/good-resource.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: testing-ns
+spec: {}
+
+---
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: good-resource-quota
+  namespace: testing-ns
+spec:
+  hard:
+    cpu: "4"
+    memory: 8Gi
+    ephemeral-storage: 10Gi
diff --git a/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/kyverno-test.yaml b/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/kyverno-test.yaml
@@ -0,0 +1,16 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: kyverno-test.yaml
+policies:
+- ../require-namespace-quota.yaml
+resources:
+- resource.yaml
+results:
+- kind: Namespace
+  policy: require-namespace-quota
+  resources:
+  - testing-ns
+  result: pass
+  rule: resourcequotas
+variables: values.yaml
diff --git a/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/resource.yaml b/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/resource.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: testing-ns
+spec: {}
+
+---
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: good-resource-quota
+  namespace: testing-ns
+spec:
+  hard:
+    cpu: "4"
+    memory: 8Gi
+    ephemeral-storage: 10Gi
diff --git a/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/values.yaml b/multitenancy-benchmarks/require-namespace-quota/.kyverno-test/values.yaml
@@ -0,0 +1,12 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Values
+policies:
+- name: require-namespace-quota
+  rules:
+  - name: resourcequotas
+    values:
+      spec:
+        hard:
+          cpu: "*"
+          ephemeral-storage: "*"
+          memory: "*"
diff --git a/multitenancy-benchmarks/require-namespace-quota/README.md b/multitenancy-benchmarks/require-namespace-quota/README.md
@@ -0,0 +1,87 @@
+# Cluster Policy - Require Namespace Quota
+
+## Policy Overview
+This Kubernetes ClusterPolicy, named `require-namespace-quota`, ensures that essential resource quotas (CPU, ephemeral storage, and memory) are properly configured for tenant namespaces. It operates by validating the presence and configuration of ResourceQuota specifically for these critical resources within each namespace.
+
+**Importance**
+
+The importance of this policy lies in its contribution to efficient resource management and maintaining cluster stability. By enforcing proper configuration of resource quotas for essential resources, it helps prevent resource overconsumption, which could lead to performance issues or even cluster failures. Additionally, it promotes better resource allocation practices, ensuring fair usage among tenant namespaces and enhancing overall cluster security.
+
+**Key Annotations:**
+- **Title:** Require ResourceQuota for Essential Resources in Tenant Namespace
+- **Category:** Resource Management
+- **Severity:** Medium
+- **Subject:** ResourceQuota
+- **Kyverno Version:** 1.8.0
+- **Kubernetes Version:** 1.24
+
+**Policy Configuration:**
+- **Validation Failure Action:** Audit (Log violations)
+- **Rules:**
+  - **Name:** ensure-essential-resource-quotas
+  - **Match Conditions:** Applies to ResourceQuota creation operations
+  - **Validation Message:** "Resource quotas for essential resources (CPU, ephemeral storage, and memory) are not properly configured for the tenant namespace"
+  - **Validation Pattern:**
+    - Ensures that quotas are defined for CPU, ephemeral storage, and memory within each tenant namespace.
+
+**Usage**
+
+To apply this policy, deploy it as a Kubernetes ClusterPolicy, specifying the desired validation rules and failure actions. Once applied, the policy will automatically enforce the proper configuration of ResourceQuota for essential resources within tenant namespaces, thereby enhancing resource governance and cluster stability.
+
+## Finding Violations
+
+To identify violations of the `require-namespace-quota` policy, follow these steps:
+
+1. **Check Policy Status:**
+   - Use the following command to view the READY status of Kyverno policies in your cluster:
+     ```bash
+     kubectl get cpol
+     ```
+   - Look for the status of the `require-namespace-quota` policy. If READY status shows `True` or the MESSAGE shows `Ready`, your policy is up and running!
+
+2. **Check Policy Report:**
+   - Use the following command to view the violations if any:
+     ```bash
+     kubectl get cpolr
+     ```
+   - Look for the status of the `require-namespace-quota` policy. If it shows any violations, note the namespace(s) where the violations occurred.
+
+3. **Inspect ResourceQuotas:**
+   - Use the following command to list ResourceQuotas in the namespaces where violations were detected:
+     ```bash
+     kubectl get resourcequota -n <namespace>
+     ```
+   - Review the ResourceQuotas to ensure quotas are properly configured for CPU, ephemeral storage, and memory.
+
+## How to Fix It
+
+To fix violations of the `require-namespace-quota` policy, follow these steps:
+
+1. **Create or Update ResourceQuotas:**
+   - Use Kubernetes manifest format to create or update ResourceQuotas in the affected namespaces. Ensure that ResourceQuotas include configurations for CPU, ephemeral storage, and memory.
+
+2. **Sample ResourceQuota Manifest:**
+   ```yaml
+   apiVersion: v1
+   kind: ResourceQuota
+   metadata:
+     name: example-resourcequota
+   spec:
+     hard:
+       cpu: "2"
+       ephemeral-storage: "1Gi"
+       memory: "2Gi"
+   ```
+
+3. **Apply ResourceQuota Changes:**
+   - Save the ResourceQuota manifest to a file (e.g., `resourcequota.yaml`) and apply the changes to the cluster using the following command:
+     ```bash
+     kubectl apply -f resourcequota.yaml -n <namespace>
+     ```
+
+4. **Verify Compliance:**
+   - After applying the changes, verify that the ResourceQuotas are correctly enforced for CPU, ephemeral storage, and memory in the namespace using the `kubectl describe resourcequota` command.
+
+5. **References:**
+   - For more information on creating and managing ResourceQuotas, refer to the official Kubernetes documentation on [Resource Quotas](https://kubernetes.io/docs/concepts/policy/resource-quotas/).
+   - Find more information about this policy [here]().
diff --git a/multitenancy-benchmarks/require-namespace-quota/require-namespace-quota.yaml b/multitenancy-benchmarks/require-namespace-quota/require-namespace-quota.yaml
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-namespace-quota
+spec:
+  validationFailureAction: Audit
+  rules:
+  - name: ensure-essential-resource-quotas
+    match:
+      resources:
+        kinds:
+        - ResourceQuota
+    validate:
+      pattern:
+        spec:
+          hard:
+            cpu: "*"
+            ephemeral-storage: "*"
+            memory: "*"
+      message: "Resource quotas for essential resources (CPU, ephemeral storage, and memory) are not properly configured for the tenant namespace"