kubescape
diff --git a/‎README.md
+4 b/‎README.md
+4
diff --git a/‎controls/C-0050/policy.yaml
+6-6 b/‎controls/C-0050/policy.yaml
+6-6
diff --git a/‎controls/C-0268/policy.yaml
+48 b/‎controls/C-0268/policy.yaml
+48
diff --git a/‎controls/C-0268/tests.json
+40 b/‎controls/C-0268/tests.json
+40
diff --git a/‎controls/C-0269/policy.yaml
+48 b/‎controls/C-0269/policy.yaml
+48
diff --git a/‎controls/C-0269/tests.json
+40 b/‎controls/C-0269/tests.json
+40
diff --git a/‎controls/C-0270/policy.yaml
+48 b/‎controls/C-0270/policy.yaml
+48
diff --git a/‎controls/C-0270/tests.json
+40 b/‎controls/C-0270/tests.json
+40
diff --git a/‎controls/C-0271/policy.yaml
+48 b/‎controls/C-0271/policy.yaml
+48
@@ -76,6 +76,10 @@ kubectl -n policy-example run nginx --image=nginx --restart=Never
 | [C-0076](https://hub.armosec.io/docs/c-0076) | Label usage for resources | [kubescape-c-0076-deny-resources-without-configured-list-of-labels-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0076-deny-resources-without-configured-list-of-labels-not-set.md) | [recommendedLabels](https://hub.armosec.io/docs/configuration_parameter_recommendedlabels) |
 | [C-0077](https://hub.armosec.io/docs/c-0077) | K8s common labels usage | [kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0077-deny-resources-without-configured-list-of-k8s-common-labels-not-set.md) | [k8sRecommendedLabels](https://hub.armosec.io/docs/configuration_parameter_k8srecommendedlabels) |
 | [C-0078](https://hub.armosec.io/docs/c-0078) | Images from allowed registry | [kubescape-c-0078-only-allow-images-from-allowed-registry](/docs/policies-based-on-kubescape-controls/kubescape-c-0078-only-allow-images-from-allowed-registry.md) | [imageRepositoryAllowList](https://hub.armosec.io/docs/configuration_parameter_imagerepositoryallowlist) |
+| [C-0268](https://hub.armosec.io/docs/c-0268) | Ensure CPU requests are set | [kubescape-c-0268-deny-resources-with-cpu-request-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0268-deny-resources-with-cpu-request-not-set.md) | [cpuRequestMin](https://hub.armosec.io/docs/configuration_parameter_cpurequestmin) |
+| [C-0269](https://hub.armosec.io/docs/c-0269) | Ensure memory requests are set | [kubescape-c-0269-deny-resources-with-memory-request-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0269-deny-resources-with-memory-request-not-set.md) | [memoryRequestMin](https://hub.armosec.io/docs/configuration_parameter_memoryrequestmin) |
+| [C-0270](https://hub.armosec.io/docs/c-0270) | Ensure CPU limits are set | [kubescape-c-0270-deny-resources-with-cpu-limit-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0270-deny-resources-with-cpu-limit-not-set.md) | [cpuLimitMin](https://hub.armosec.io/docs/configuration_parameter_cpulimitmin) |
+| [C-0271](https://hub.armosec.io/docs/c-0271) | Ensure memory limits are set | [kubescape-c-0271-deny-resources-with-memory-limit-not-set](/docs/policies-based-on-kubescape-controls/kubescape-c-0271-deny-resources-with-memory-limit-not-set.md) | [memoryLimitMin](https://hub.armosec.io/docs/configuration_parameter_memorylimitmin) |
 
 ## Testing Policies
 
 
@@ -28,26 +28,26 @@ spec:
   validations:
     - expression: >
         object.kind != 'Pod' || object.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
-        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
-        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
         params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
         params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
       message: "Pods contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
 
     - expression: >
         ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
-        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
-        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
         params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
         params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
       message: "Workloads contains container/s with cpu limit or request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0050)"
 
     - expression: >
         object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container, (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
-        params.settings.cpuLimitMin <= int(container.resources.requests.cpu) &&
-        params.settings.cpuLimitMax >= int(container.resources.requests.cpu)) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)) &&
         (!(!(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
         params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
         params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
 
@@ -0,0 +1,48 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0268-deny-resources-with-cpu-request-not-set"
+  labels:
+    controlId: "C-0268"
+  annotations:
+    controlUrl: "https://hub.armosec.io/docs/c-0268"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)))
+      message: "Pods contains container/s with cpu request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0268)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)))
+      message: "Workloads contains container/s with cpu request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0268)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.cpu))) &&
+        params.settings.cpuRequestMin <= int(container.resources.requests.cpu) &&
+        params.settings.cpuRequestMax >= int(container.resources.requests.cpu)))
+      message: "CronJob contains container/s with cpu request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0268)"
@@ -0,0 +1,40 @@
+[
+    {
+        "name": "Pod with container having cpu request not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request set and value in the limit is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=3"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu request set and value not in the limit is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.cpu=6"
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu request not set is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu request set and value in the limit is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].resources.requests.cpu=3"
+        ]
+    }
+]
@@ -0,0 +1,48 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0269-deny-resources-with-memory-request-not-set"
+  labels:
+    controlId: "C-0269"
+  annotations:
+    controlUrl: "https://hub.armosec.io/docs/c-0269"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)))
+      message: "Pods contains container/s with memory request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0269)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)))
+      message: "Workloads contains container/s with memory request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0269)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.requests)) || !(has(container.resources.requests.memory))) &&
+        params.settings.memoryRequestMin <= int(container.resources.requests.memory) &&
+        params.settings.memoryRequestMax >= int(container.resources.requests.memory)))
+      message: "CronJob contains container/s with memory request not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0269)"
@@ -0,0 +1,40 @@
+[
+    {
+        "name": "Pod with container having memory request not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+        ]
+    },
+    {
+        "name": "Pod with container having memory request set and value in the limit is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.memory=128"
+        ]
+    },
+    {
+        "name": "Pod with container having memory request set and value not in the limit is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.requests.memory=512"
+        ]
+    },
+    {
+        "name": "Deployment with container having memory request not set is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Deployment with container having memory request set and value in the limit is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].resources.requests.memory=128"
+        ]
+    }
+]
@@ -0,0 +1,48 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0270-deny-resources-with-cpu-limit-not-set"
+  labels:
+    controlId: "C-0270"
+  annotations:
+    controlUrl: "https://hub.armosec.io/docs/c-0270"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Pods contains container/s with cpu limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0270)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "Workloads contains container/s with cpu limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0270)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.cpu))) &&
+        params.settings.cpuLimitMin <= int(container.resources.limits.cpu) &&
+        params.settings.cpuLimitMax >= int(container.resources.limits.cpu)))
+      message: "CronJob contains container/s with cpu limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0270)"
@@ -0,0 +1,40 @@
+[
+    {
+        "name": "Pod with container having cpu limits not set is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Pod with container having cpu limits set and value in the limit is allowed",
+        "template": "pod.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.containers.[0].resources.limits.cpu=3"
+        ]
+    },
+    {
+        "name": "Pod with container having cpu limits set and value not in the limit is blocked",
+        "template": "pod.yaml",
+        "expected": "fail",
+        "field_change_list": [
+            "spec.containers.[0].resources.limits.cpu=6"
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu limits not set is blocked",
+        "template": "deployment.yaml",
+        "expected": "fail",
+        "field_change_list": [ 
+        ]
+    },
+    {
+        "name": "Deployment with container having cpu limits set and value in the limit is allowed",
+        "template": "deployment.yaml",
+        "expected": "pass",
+        "field_change_list": [
+            "spec.template.spec.containers.[0].resources.limits.cpu=3"
+        ]
+    }
+]
@@ -0,0 +1,48 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: "kubescape-c-0271-deny-resources-with-memory-limit-not-set"
+  labels:
+    controlId: "C-0271"
+  annotations:
+    controlUrl: "https://hub.armosec.io/docs/c-0271"
+spec:
+  failurePolicy: Fail
+  paramKind:
+    apiVersion: kubescape.io/v1
+    kind: ControlConfiguration
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["pods"]
+    - apiGroups:   ["apps"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["deployments","replicasets","daemonsets","statefulsets"]
+    - apiGroups:   ["batch"]
+      apiVersions: ["v1"]
+      operations:  ["CREATE", "UPDATE"]
+      resources:   ["jobs","cronjobs"]
+  validations:
+    - expression: >
+        object.kind != 'Pod' || object.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+      message: "Pods contains container/s with memory limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0271)"
+
+    - expression: >
+        ['Deployment','ReplicaSet','DaemonSet','StatefulSet','Job'].all(kind, object.kind != kind) || object.spec.template.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+      message: "Workloads contains container/s with memory limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0271)"
+
+    - expression: >
+        object.kind != 'CronJob' || object.spec.jobTemplate.spec.containers.all(container,
+        (!(!(has(container.resources)) || !(has(container.resources.limits)) || !(has(container.resources.limits.memory))) &&
+        params.settings.memoryLimitMin <= int(container.resources.limits.memory) &&
+        params.settings.memoryLimitMax >= int(container.resources.limits.memory)))
+      message: "CronJob contains container/s with memory limit not set or they are not in the specified range! (see more at https://hub.armosec.io/docs/c-0271)"