webhook: enforce minimum memory limit

If memory limit is set and less than minimum, set it to minimum. This is to to account for 0ec34036bb Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-04 11:03:52 +00:00 · 2025-01-09 15:25:51 -08:00
parent ed0b643279
commit b913ac8e2c
2 changed files with 26 additions and 1 deletions
--- a/tools/testing/kata-webhook/deploy/webhook.yaml
+++ b/tools/testing/kata-webhook/deploy/webhook.yaml
@@ -20,7 +20,7 @@ spec:
    spec:
      containers:
        - name: pod-annotate-webhook
-          image: quay.io/kata-containers/kata-webhook-example:latest
+          image: marineraks.azurecr.io/kata-containers/kata-webhook:min_memory_limit
          imagePullPolicy: Always
          env:
            - name: RUNTIME_CLASS
@@ -29,6 +29,12 @@ spec:
                  name: kata-webhook
                  key: runtime_class
                  optional: true
+            - name: MIN_MEMORY_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  name: kata-webhook
+                  key: min_memory_limit
+                  optional: true
          args:
            - -tls-cert-file=/etc/webhook/certs/cert.pem
            - -tls-key-file=/etc/webhook/certs/key.pem
@@ -74,3 +80,4 @@ metadata:
  name: kata-webhook
 data:
  runtime_class: kata
+  min_memory_limit: "128Mi"
--- a/tools/testing/kata-webhook/main.go
+++ b/tools/testing/kata-webhook/main.go
@@ -13,6 +13,7 @@ import (
 	"strings"

 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"github.com/sirupsen/logrus"
@@ -78,6 +79,23 @@ func annotatePodMutator(_ context.Context, ar *kwhmodel.AdmissionReview, obj met
 	kataRuntimeClassName := getRuntimeClass(runtimeClassEnvKey, "kata")
 	pod.Spec.RuntimeClassName = &kataRuntimeClassName

+	minMemoryLimit, foundMinMemoryLimit := os.LookupEnv("MIN_MEMORY_LIMIT")
+
+	if foundMinMemoryLimit {
+		minMemoryLimitVal := resource.MustParse(minMemoryLimit)
+		for i := range pod.Spec.Containers {
+			if pod.Spec.Containers[i].Resources.Limits == nil {
+				continue
+			} else {
+				currentMemoryLimit := pod.Spec.Containers[i].Resources.Limits.Memory().Value()
+				if currentMemoryLimit < minMemoryLimitVal.Value() {
+					pod.Spec.Containers[i].Resources.Limits["memory"] = resource.MustParse(minMemoryLimit)
+					fmt.Println("memory limit too low. Updating to : ", pod.Spec.Containers[i].Resources.Limits)
+				}
+			}
+		}
+	}
+
 	return &kwhmutating.MutatorResult{
 		MutatedObject: pod,
 	}, nil