Enforcing memory constraints
So far in this chapter, we've built policies that are self-contained. When checking whether an image is coming from a pre-authorized registry, the only data we needed was from the policy and the containers. This is often not enough information to make a policy decision. In this section, we'll work on building a policy that relies on other objects in your cluster to make policy decisions.
Before diving into the implementation, let's talk about the use case. It's a good idea to include at least memory requirements on any
Pod submitted to the API server. There are certain namespaces though where this doesn't make as much sense. For instance, many of the containers in the
kube-system namespace don't have CPU and memory resource requests.
There are multiple ways we could handle this. One way is to deploy a constraint template and apply it to every namespace we want to enforce memory resource requests on. This can lead to...