From 09e9ba99abe1ccc4742b2be68e7b778ffb982e10 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Wed, 27 Oct 2021 13:01:41 -0400
Subject: [PATCH] PodSecurity: add resource quota for clusters that limit
 cluster-critical by default

---
 .../webhook/manifests/20-resourcequota.yaml        | 14 ++++++++++++++
 .../webhook/manifests/kustomization.yaml           |  1 +
 2 files changed, 15 insertions(+)
 create mode 100644 staging/src/k8s.io/pod-security-admission/webhook/manifests/20-resourcequota.yaml

diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-resourcequota.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-resourcequota.yaml
new file mode 100644
index 00000000000..0c90bd22bda
--- /dev/null
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/20-resourcequota.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: pod-security-webhook
+  namespace: pod-security-webhook
+spec:
+  hard:
+    pods: 3
+  scopeSelector:
+    matchExpressions:
+    - operator: In
+      scopeName: PriorityClass
+      values:
+      - system-cluster-critical
\ No newline at end of file
diff --git a/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml b/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
index f637494436e..8320af4a6d1 100644
--- a/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
+++ b/staging/src/k8s.io/pod-security-admission/webhook/manifests/kustomization.yaml
@@ -2,6 +2,7 @@ resources:
 - 10-namespace.yaml
 - 20-configmap.yaml
 - 20-serviceaccount.yaml
+- 20-resourcequota.yaml
 - 30-clusterrole.yaml
 - 40-clusterrolebinding.yaml
 - 50-deployment.yaml