adaptive-enforcement-lab/kyverno-resource-governance-templates
plugins/enforce/skills/kyverno-resource-governance-templates/SKILL.md
Kyverno resource governance policies enforcing CPU/memory limits, HPA requirements, and storage constraints for Kubernetes workloads.
development
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills kyverno-resource-governance-templatesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 10:34 AM37.0s13 files scanned
SKILL.md
- name:
- kyverno-resource-governance-templates
- description:
- >-
Kyverno Resource Governance Templates
When to Use This Skill
Resource governance policies prevent overconsumption, enforce autoscaling requirements, and control storage allocation across your cluster.
Resource Limits Prevent Noisy Neighbors
Without resource limits, a single pod can consume all node capacity and starve other workloads. Enforce limits to guarantee fair resource allocation.
When to Apply
Scenario 1: Prevent Unbounded Resource Consumption
Require resource limits on all containers:
# Enforced by: limits.yaml
# Result: All containers must define resources.limits.cpu and resources.limits.memory
# Impact: Prevents single pod from consuming entire node capacity
Scenario 2: Mandate Autoscaling for Production
Require HPA for production Deployments:
# Enforced by: hpa.yaml
# Result: Deployments in prod-* namespaces must have corresponding HPA
# Impact: Ensures production services scale automatically under load
Scenario 3: Control Storage Costs
Restrict PVC size to prevent excessive allocations:
# Enforced by: storage.yaml
# Result: PVCs cannot exceed 100Gi in dev namespaces
# Impact: Prevents accidental provisioning of expensive storage volumes
Implementation
See the full implementation guide in the source documentation.
Techniques
Resource Management Patterns
Resource Quotas vs Limits
Use both mechanisms for defense in depth:
- ResourceQuota - Namespace-level caps (total CPU/memory across all pods)
- LimitRange - Default and max values for individual pods
- Kyverno Policies - Validation and enforcement of resource configuration
Kyverno policies complement quotas by validating workload-level configuration before admission.
Right-Sizing Workloads
Set appropriate resource values to balance cost and reliability:
- Requests too low → Pods scheduled on undersized nodes → OOMKilled
- Requests too high → Wasted capacity → Increased costs
- Limits too low → Pods throttled → Performance degradation
- Limits too high → Noisy neighbor problems → Node instability
Use Vertical Pod Autoscaler (VPA) recommendations to identify optimal values.
Autoscaling Strategies
Choose the right autoscaling mechanism for your workload:
- HPA (Horizontal) - Scale replicas based on CPU/memory/custom metrics
- VPA (Vertical) - Adjust resource requests/limits automatically
- Cluster Autoscaler - Add/remove nodes based on pending pods
Kyverno policies enforce HPA presence and configuration validity.
See reference.md for additional techniques and detailed examples.
Examples
See examples.md for code examples.
Full Reference
See reference.md for complete documentation.
Related Patterns
- Kyverno Templates Overview
- Kyverno Pod Security
- OPA Resource Governance
References
- Source Documentation
- AEL Enforce
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026