Skip to content

Ensure that project templates autocreate Resource Quotas

An XCCDF Rule

Description

Configure a template for newly created projects to use default resource quotas and make sure this template is referenced from the default project template. For more information, follow the relevant documentation.

warning alert: Warning

This rule's check operates on the cluster configuration dump. Therefore, you need to use a tool that can query the OCP API, retrieve the following:
  • /apis/template.openshift.io/v1/namespaces/openshift-config/templates API endpoint, filter with with the jq utility using the following filter [.items[] | any(.objects[]?; .kind == "ResourceQuota") ] and persist it to the local /apis/template.openshift.io/v1/namespaces/openshift-config/templates#e60f58ef612a182073e9f6fe0ebe9ea96a706422dc65572af8d6aa9839d94f61 file.

Rationale

Running different applications on the same Kubernetes cluster creates a risk of a "noisy neighbor" when one application monopolizes cluster resources. A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per project. It can limit the quantity of objects that can be created in a project by type, as well as the total amount of compute resources and storage that might be consumed by resources in that project. Ensuring that the project configuration references a project template that sets up the required objects for new projects ensures that all new projects will be set in accordance with centralized settings.

ID
xccdf_org.ssgproject.content_rule_project_template_resource_quota
Severity
Medium
References
Updated



Remediation - Kubernetes Patch

---
apiVersion: template.openshift.io/v1
kind: Template
metadata:
  creationTimestamp: null
  name: co-project-request