From 23556ae232748a2850ef71eb7bc66d4bbe6b3f01 Mon Sep 17 00:00:00 2001
From: auricom <27022259+auricom@users.noreply.github.com>
Date: Tue, 14 Mar 2023 22:56:32 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20kyverno?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../kyverno/policies/delete-cpu-limits.yaml   | 66 +++++++++----------
 1 file changed, 30 insertions(+), 36 deletions(-)

diff --git a/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml b/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml
index 2866f6523..f89e42e55 100644
--- a/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml
+++ b/kubernetes/apps/kyverno/kyverno/policies/delete-cpu-limits.yaml
@@ -3,50 +3,44 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
-  name: delete-cpu-limits
+  name: remove-cpu-limit
   annotations:
-    policies.kyverno.io/title: Delete CPU limits
+    policies.kyverno.io/title: Remove CPU limits
+    policies.kyverno.io/category: Best Practices
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-      This policy deletes CPU limits from all Pods.
+      This policy removes CPU limits from all Pods.
+    pod-policies.kyverno.io/autogen-controllers: none
 spec:
   mutateExistingOnPolicyUpdate: true
   generateExistingOnPolicyUpdate: true
   rules:
-    - name: delete-cpu-limits
+    - name: remove-containers-cpu-limits
       match:
         any:
           - resources:
-              kinds: ["Pod"]
-      exclude:
-        any:
-          # - resources:
-          #     namespaces:
-          #       - calico-system
-          #       - tigera-operator
-          - resources:
-              kinds: ["Pod"]
-              selector:
-                matchLabels:
-                  job-name: "*"
-          - resources:
-              kinds: ["Pod"]
-              selector:
-                matchLabels:
-                  statefulset.kubernetes.io/pod-name: "*"
-          - resources:
-              annotations:
-                kyverno.io/ignore: "true"
+              kinds:
+                - Pod
       mutate:
-        patchStrategicMerge:
-          spec:
-            initContainers:
-              - (name): "*"
-                resources:
-                  limits:
-                    cpu: null
-            containers:
-              - (name): "*"
-                resources:
-                  limits:
-                    cpu: null
+        foreach:
+          - list: "request.object.spec.containers"
+            patchesJson6902: |-
+              - path: /spec/containers/{{elementIndex}}/resources/limits/cpu
+                op: remove
+    - name: delete-initcontainers-cpu-limits
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      preconditions:
+        all:
+          - key: "{{ request.object.spec.initContainers[] || `[]` | length(@) }}"
+            operator: GreaterThanOrEquals
+            value: 1
+      mutate:
+        foreach:
+          - list: "request.object.spec.initContainers"
+            patchesJson6902: |-
+              - path: /spec/initContainers/{{elementIndex}}/resources/limits/cpu
+                op: remove