- We create a ClusterPolicy named
all-containers-need-requests-and-limitsthat enforces CPU and memory requests and limits for every container in a Pod. - The policy uses Kyverno pattern wildcards to match any container and require that the resource fields exist and are non-empty.
- The policy targets Pod resources via
matchand applies a pattern tospec.containers. - Using
- name: "*"applies the pattern to every element in thecontainerslist. - The
?*wildcard is applied to string fields to require presence and non-empty values (we are not validating format, only that some value exists).
In Kyverno patterns, using
?* on a string field ensures the field is present and contains at least one character (examples: 100m, 128Mi). Use this when you need to validate presence without enforcing a specific value format.This policy uses
validationFailureAction: enforce, so requests that violate the rule are rejected by the admission webhook. During development, consider validationFailureAction: audit if you want to observe violations without blocking resources.- The policy pattern requires
limits.memory,limits.cpu,requests.memory, andrequests.cputo be present and non-empty for every container. - The example pod lacked the
resourcesblock entirely, so Kyverno denied creation and returned the policy message.
- The pod was created successfully because each container included all four resource fields (
requests.cpu,requests.memory,limits.cpu,limits.memory) and each value matched the?*requirement (non-empty string).
- Use
- name: "*"to apply a pattern to every element in a list (e.g., every container). - Use
?*on string fields to require that they exist and are non-empty without enforcing a specific format. - Use
validationFailureAction: enforceto actively block invalid resources; useauditto log violations without blocking during policy rollout. - This pattern avoids per-container rules and enforces resource declarations cluster-wide with a single, maintainable policy.