Categorygithub.com/kubewarden/rancher-project-quotas-namespace-validator
modulepackage
0.1.4
Repository: https://github.com/kubewarden/rancher-project-quotas-namespace-validator.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
11
Dependents
0
Files
465 SLOC

# README

WARNING: this policy requires Kubewarden 1.6.0 or later

This policy is meant to be used together with Rancher Manager.

Rancher Manager introduces the concept of Project. Projects group different Kubernetes Namespace and can enforce resource quotas across all of them. To learn more about Rancher Projects, checkout the official documentation.

Rancher Manager UI prevents the creation of Namespace under a given Project once its ResourceQuota is exceeded.

This policy complements Rancher Manager by introducing the same set of checks for all the requests issued against the Kubernetes API server (like via kubectl).

Settings

This policy does not have any configuration value.

Example

Create a project under the Rancher Manager UI:

  • Cluster
  • Project/Namespaces
  • Create Project
  • Resource Quota Tab
  • Select "CPU Reservation" from the dropdown
  • Set Project Limit as 500 and Namespace as Limit as 100
  • Create

Get the cluster id(e.g., local) combined with Project ID(e.g., p-sd7dh) and enter in below yaml to create namespace with requestsCpu as 400m under the project.

Create a new Namespace using a definition like the following one:

apiVersion: v1
kind: Namespace
metadata:
  name: one
  annotations:
    field.cattle.io/projectId: local:p-sd7dh
    field.cattle.io/resourceQuota: '{"limit":{"requestsCpu":"400m"}}'
  labels:
    field.cattle.io/projectId: p-sd7dh

Create another Namespace which allocates all the remaining quota of requestsCpu:

apiVersion: v1
kind: Namespace
metadata:
  name: two
  annotations:
    field.cattle.io/projectId: local:p-sd7dh
    field.cattle.io/resourceQuota: '{"limit":{"requestsCpu":"100m"}}'
  labels:
    field.cattle.io/projectId: p-sd7dh

Now, all the quota of requestsCpu is exhausted inside of the Project.

This policy will prevent the creation of other Namespace under the project:

apiVersion: v1
kind: Namespace
metadata:
  name: three
  annotations:
    field.cattle.io/projectId: local:p-sd7dh
    field.cattle.io/resourceQuota: '{"limit":{"requestsCpu":"100m"}}'
  labels:
    field.cattle.io/projectId: p-sd7dh

This time the project creation will be rejected.

# Packages

No description provided by the author

# Constants

No description provided by the author
No description provided by the author
No description provided by the author
RancherProjectAPIVersion is the Kubernetes Group + Version used by the Project resources.
RancherProjectIDAnnotation is the annotation used by Rancher Manager inside of Namespace object that defines which Project the Namespace belongs to.
RancherProjectKind is the Kubernetes Kind used by the Project resources.
RancherResourceQuotaAnnotation is the annotation used by Rancher Manager inside of a Namespace object.

# Structs

ContainerResourceLimit defines the types of limits that can be set Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/resource_quota_types.go.
LookupError is a custom error that provides extra information.
MockWapcClient is implements the `host.WapcClient` interface.
MonitoringCondition taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/monitoring_types.go.
MonitoringStatus is taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/monitoring_types.go.
NamespaceRequestExceedsAvailabilityError a custom error raised when a namespace requests more resources than available.
NamespaceResourceQuota defines the quota limits applied to the namespace Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/resource_quota_types.go.
Project is a Rancher Custom Resource Definition Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/authz_types.go.
ProjectCondition contains the conditions of the project Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/authz_types.go.
ProjectResourceQuota describes the limit and used limits of a Project Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/resource_quota_types.go.
ProjectSpec contains the details of a Rancher Project Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/authz_types.go.
ProjectStatus contains the observed status of the project Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/authz_types.go.
QuantityParseError is a custom error raised when a string cannot be parsed to be be a resource.Quantity.
ResourceQuotaLimit defines the types of quotas that can be set Taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/resource_quota_types.go.
Settings is a an empty struct because this policy has no configuration.

# Type aliases

ClusterConditionType is taken from https://github.com/rancher/types/blob/release/v2.4/apis/management.cattle.io/v3/cluster_types.go.
ConditionStatus is a valid condition status.