I'm a junior developer, and I was posed an interesting question during an interview. The scenario involves a company that hosts multiple clients on a cluster. The challenge is allowing client developers to change image tags within a kustomization.yaml file, but they shouldn't have the ability to modify deployment limits. I suggested using some Kyverno rules and CI checks to enforce this, which seemed like a solid approach. However, I'm curious if there might be a more effective solution. Additionally, I considered the possibility of letting clients manage their own resource requests and limits, billing them accordingly each month, while the hosting company could handle auto-scaling using the most cost-effective nodes available from GCP. I'd love to hear your thoughts on this!
2 Answers
You might want to look into Resource Quotas and Limit Ranges. These tools will enforce the limits you need and make sure that your clients won’t hog all the resources, while still allowing them to make necessary changes to their own configurations.
It sounds like admission webhooks or mutating webhooks could really help with your situation. They can be set up to specifically handle the changes you want to allow without giving too much control to the developers.
I see your point, but I'm looking for something that controls just the image tags, not all resource limits.