Add tier-based resource governance via Kyverno [ci skip]

Four layers of noisy-neighbor protection using existing tier system: - PriorityClasses (tier-0-core through tier-4-aux) - LimitRange defaults auto-generated per namespace tier - ResourceQuotas auto-generated per namespace tier - PriorityClassName injection on pods via Kyverno mutate Custom quota overrides for monitoring and crowdsec namespaces which exceed the default tier quotas.
2026-02-15 18:48:33 +00:00 · 2026-02-15 18:48:33 +00:00 · 4d9b8242e8
commit 4d9b8242e8
parent 2bae6ccce3
4 changed files with 789 additions and 2 deletions
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@ -19,7 +19,8 @@ resource "kubernetes_namespace" "crowdsec" {
  metadata {
    name = "crowdsec"
    labels = {
-      tier = var.tier
+      tier                               = var.tier
+      "resource-governance/custom-quota" = "true"
    }
  }
 }
@ -332,3 +333,20 @@ resource "kubernetes_role_binding" "blocklist_import" {
  }
 }

+# Custom ResourceQuota for CrowdSec — needs more than default 1-cluster quota
+# because it runs DaemonSet agents (1 per worker node) + 3 LAPI replicas + web UI
+resource "kubernetes_resource_quota" "crowdsec" {
+  metadata {
+    name      = "crowdsec-quota"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "8"
+      "requests.memory" = "8Gi"
+      "limits.cpu"      = "16"
+      "limits.memory"   = "16Gi"
+      pods              = "30"
+    }
+  }
+}