Skip to content

Commit

Permalink
Add ResourceQuota plugin configuration (#11814)
Browse files Browse the repository at this point in the history 
This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.
  • Loading branch information
@chadswen
chadswen authored Dec 19, 2024
1 parent bf70335 commit 2fbf480
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 0 deletions.
11 changes: 11 additions & 0 deletions roles/kubernetes/control-plane/defaults/main/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
# cache_size: <cache_size_value>
kube_apiserver_admission_event_rate_limits: {}

## PodSecurityAdmission plugin configuration
kube_pod_security_use_default: false
kube_pod_security_default_enforce: baseline
kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
Expand All @@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
kube_pod_security_exemptions_namespaces:
- kube-system

## ResourceQuota plugin configuration
## Resources that ResourceQuota should limit by default if no quota exists
## Example below enforces quota on all storage classes
# kube_resource_quota_limited_resources:
# - apiGroup: ""
# resource: persistentvolumeclaims
# matchContains:
# - .storageclass.storage.k8s.io/requests.storage
kube_resource_quota_limited_resources: []

# 1.10+ list of disabled admission plugins
kube_apiserver_disable_admission_plugins: []

Expand Down
8 changes: 8 additions & 0 deletions roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: apiserver.config.k8s.io/v1
kind: ResourceQuotaConfiguration
{% if kube_resource_quota_limited_resources | d(false) -%}
limitedResources:
{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
{% else %}
# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
{%- endif %}
1 change: 1 addition & 0 deletions roles/kubernetes/control-plane/vars/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
- ImagePolicyWebhook
- PodSecurity
- PodNodeSelector
- ResourceQuota

0 comments on commit 2fbf480

Please sign in to comment.