Add ResourceQuota plugin configuration (#11814)

This enables [configuration](https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default) of the [ResourceQuota AdmissionController plugin](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota). The configuration file will be empty by default when no limitedResources are set.
2026-01-16 04:10:47 -03:30 · 2024-12-19 11:12:09 -06:00 · 2024-12-19 11:12:09 -06:00 · 2fbf4806ed
commit 2fbf4806ed
parent bf70335493
3 changed files with 20 additions and 0 deletions
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@ -107,6 +107,7 @@ kube_apiserver_admission_control_config_file: false
 #   cache_size: <cache_size_value>
 kube_apiserver_admission_event_rate_limits: {}

+## PodSecurityAdmission plugin configuration
 kube_pod_security_use_default: false
 kube_pod_security_default_enforce: baseline
 kube_pod_security_default_enforce_version: "{{ kube_major_version }}"
@ -119,6 +120,16 @@ kube_pod_security_exemptions_runtime_class_names: []
 kube_pod_security_exemptions_namespaces:
  - kube-system

+## ResourceQuota plugin configuration
+## Resources that ResourceQuota should limit by default if no quota exists
+## Example below enforces quota on all storage classes
+# kube_resource_quota_limited_resources:
+# - apiGroup: ""
+#   resource: persistentvolumeclaims
+#   matchContains:
+#   - .storageclass.storage.k8s.io/requests.storage
+kube_resource_quota_limited_resources: []
+
 # 1.10+ list of disabled admission plugins
 kube_apiserver_disable_admission_plugins: []

--- a/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/resourcequota.yaml.j2
@ -0,0 +1,8 @@
+apiVersion: apiserver.config.k8s.io/v1
+kind: ResourceQuotaConfiguration
+{% if kube_resource_quota_limited_resources | d(false) -%}
+limitedResources:
+{{ kube_resource_quota_limited_resources | to_nice_yaml(indent=2, sort_keys=false) }}
+{% else %}
+# No limitedResources configured. If limitedResources are required, please set kube_resource_quota_limited_resources.
+{%- endif %}
--- a/roles/kubernetes/control-plane/vars/main.yaml
+++ b/roles/kubernetes/control-plane/vars/main.yaml
@ -6,3 +6,4 @@ kube_apiserver_admission_plugins_needs_configuration:
 - ImagePolicyWebhook
 - PodSecurity
 - PodNodeSelector
+- ResourceQuota