ResourceQuota object definition involves limits keys with dots and there is issue to get the value of the limits:
policy.rego
package main
deny_incorrect_memory_unit[msg] {
input.kind == "ResourceQuota"
memoryLimit := input.spec.hard.limits.memory
not regex.match("^[0-9]+M$", memoryLimit)
msg := sprintf("%s: Incorrect value %s. Memory Limit in ResourceQuota must be defined in Megabytes (M) unit", [input.metadata.namespace, memoryLimit])
}
resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: app
namespace: backend
spec:
hard:
pods: 1
limits.cpu: 3
limits.memory: "1G"
In above example test finishes with success, despite of wrong unit in limits.memory After replacing yaml file to the below structure (which are not supported by k8s) test finish with expected result - failure:
spec:
hard:
pods: 1
limits:
cpu: 3
memory: "1G"