Add tier-based resource governance via Kyverno [ci skip]

Four layers of noisy-neighbor protection using existing tier system: - PriorityClasses (tier-0-core through tier-4-aux) - LimitRange defaults auto-generated per namespace tier - ResourceQuotas auto-generated per namespace tier - PriorityClassName injection on pods via Kyverno mutate Custom quota overrides for monitoring and crowdsec namespaces which exceed the default tier quotas.
2026-02-15 18:48:33 +00:00 · 2026-02-15 18:48:33 +00:00 · 4d9b8242e8
commit 4d9b8242e8
parent 2bae6ccce3
4 changed files with 789 additions and 2 deletions
--- a/modules/kubernetes/monitoring/main.tf
+++ b/modules/kubernetes/monitoring/main.tf
@ -21,7 +21,8 @@ resource "kubernetes_namespace" "monitoring" {
    name = "monitoring"
    labels = {
      "istio-injection" : "disabled"
-      tier = var.tier
+      tier                               = var.tier
+      "resource-governance/custom-quota" = "true"
    }
  }
 }
@ -181,3 +182,20 @@ resource "kubernetes_ingress_v1" "status_yotovski" {
  }
 }

+# Custom ResourceQuota for monitoring — larger than the default 1-cluster tier quota
+# because monitoring runs 29+ pods (Prometheus, Grafana, Loki, Alloy, exporters, etc.)
+resource "kubernetes_resource_quota" "monitoring" {
+  metadata {
+    name      = "monitoring-quota"
+    namespace = kubernetes_namespace.monitoring.metadata[0].name
+  }
+  spec {
+    hard = {
+      "requests.cpu"    = "16"
+      "requests.memory" = "16Gi"
+      "limits.cpu"      = "64"
+      "limits.memory"   = "128Gi"
+      pods              = "100"
+    }
+  }
+}