security: specify a storage limit for containers (#6259)

Signed-off-by: zhangzujian <zhangzujian.7@gmail.com>

Author: zhangzujian

charts/kube-ovn-v2/templates/hooks/post-delete-hook.yaml

@@ -120,6 +120,14 @@ spec:
             - sh
             - -c
             - /kube-ovn/remove-finalizer.sh 2>&1 | tee -a /var/log/kube-ovn/remove-finalizer.log
+          resources:
+            requests:
+              cpu: 100m
+              memory: 200Mi
+            limits:
+              cpu: 1
+              memory: 500Mi
+              ephemeral-storage: 1Gi
           volumeMounts:
             - mountPath: /var/log/kube-ovn
               name: kube-ovn-log

charts/kube-ovn-v2/templates/ic/ic-controller-deploy.yaml

@@ -103,6 +103,7 @@ spec:
             limits:
               cpu: 3
               memory: 1Gi
+              ephemeral-storage: 1Gi
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

charts/kube-ovn-v2/values.yaml

@@ -375,6 +375,7 @@ ovsOvn:
     limits:
       cpu: "2"
       memory: "1000Mi"
+      ephemeral-storage: 1Gi
 
   # -- ovs-ovn DaemonSet update strategy.
   # ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/#daemonset-update-strategy
@@ -427,6 +428,7 @@ ovsOvn:
         hugepages-2Mi: 1Gi
         cpu: "2"
         memory: "1000Mi"
+        ephemeral-storage: 1Gi
 
 # -- Configuration for kube-ovn-speaker, the BGP speaker announcing routes to the external world.
 # @section -- BGP speaker configuration
@@ -509,6 +511,7 @@ pinger:
     limits:
       cpu: "200m"
       memory: "400Mi"
+      ephemeral-storage: 1Gi
 
   # -- kube-ovn-pinger metrics configuration.
   # @section -- Ping daemon configuration
@@ -577,6 +580,7 @@ monitor:
     limits:
       cpu: "200m"
       memory: "200Mi"
+      ephemeral-storage: 1Gi
 
   # -- kube-ovn-monitor metrics configuration.
   # @section -- OVN monitoring daemon configuration
@@ -619,6 +623,7 @@ controller:
     limits:
       cpu: "1000m"
       memory: "1Gi"
+      ephemeral-storage: 1Gi
 
   # -- Controller metrics configuration.
   # @section -- Kube-OVN controller configuration
@@ -661,6 +666,7 @@ central:
     limits:
       cpu: "3"
       memory: "4Gi"
+      ephemeral-storage: 1Gi
 
   # -- ""
   # @section -- OVN-central daemon configuration.
@@ -738,6 +744,7 @@ agent:
     limits:
       cpu: "1000m"
       memory: "1Gi"
+      ephemeral-storage: 1Gi
 
   # -- Agent metrics configuration.
   # @section -- CNI agent configuration

charts/kube-ovn/templates/central-deploy.yaml

@@ -122,6 +122,7 @@ spec:
             limits:
               cpu: {{ index .Values "ovn-central" "limits" "cpu" }}
               memory: {{ index .Values "ovn-central" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovn-central" "limits" "ephemeral-storage" }}
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

charts/kube-ovn/templates/controller-deploy.yaml

@@ -218,6 +218,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-controller" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-controller" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-controller" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

charts/kube-ovn/templates/ic-controller-deploy.yaml

@@ -100,6 +100,7 @@ spec:
             limits:
               cpu: 3
               memory: 1Gi
+              ephemeral-storage: 1Gi
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

charts/kube-ovn/templates/monitor-deploy.yaml

@@ -110,6 +110,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-monitor" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-monitor" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-monitor" "limits" "ephemeral-storage" }}
           volumeMounts:
             - mountPath: /var/run/ovn
               name: host-run-ovn

charts/kube-ovn/templates/ovncni-ds.yaml

@@ -227,6 +227,7 @@ spec:
           limits:
             cpu: {{ index .Values "kube-ovn-cni" "limits" "cpu" }}
             memory: {{ index .Values "kube-ovn-cni" "limits" "memory" }}
+            ephemeral-storage: {{ index .Values "kube-ovn-cni" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

charts/kube-ovn/templates/ovsovn-ds.yaml

@@ -173,6 +173,7 @@ spec:
             limits:
               cpu: {{ index .Values "ovs-ovn" "limits" "cpu" }}
               memory: {{ index .Values "ovs-ovn" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "ovs-ovn" "limits" "ephemeral-storage" }}
       nodeSelector:
         kubernetes.io/os: "linux"
       volumes:

charts/kube-ovn/templates/pinger-ds.yaml

@@ -133,6 +133,7 @@ spec:
             limits:
               cpu: {{ index .Values "kube-ovn-pinger" "limits" "cpu" }}
               memory: {{ index .Values "kube-ovn-pinger" "limits" "memory" }}
+              ephemeral-storage: {{ index .Values "kube-ovn-pinger" "limits" "ephemeral-storage" }}
           livenessProbe:
             httpGet:
               path: /metrics