feat(general): Add volumeresources emptyDir sizelimit

[dongjiang1989]

What this PR does / why we need it:
feat(general): Add volumeresources emptyDir sizelimit.

one node in the cluster was emptyDirevicted because the log volume not set a capacity limit sizeLimit.

Which issue(s) does this PR fix (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #

Special notes for your reviewer:

[JaydipGabani]

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

[dongjiang1989]

@dongjiang1989 can you also modify empty suite.yaml with appropriate configurations? - here is an example of working suite.yaml - https://github.com/open-policy-agent/gatekeeper-library/blob/master/library/general/block-wildcard-ingress/suite.yaml

Thanks. @JaydipGabani
Fixed. Please re-check

[JaydipGabani]

This policy will not work for Pod. Please modify constraint or rego.

[JaydipGabani]

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

[dongjiang1989]

@dongjiang1989 appologies for going back and forth, but it would be best to keep the policy applicable to pods because currenlty library doesn't test policies with expansionTemplates and the CI will likely fail since you are using Deployment for allowed/disallowed examples, you would not get expected violations in return. The policy would still deny the pods spinned up by workload resouces as well, but the denied message wouldn't be in the stdout without expansionTemplate (the denied message could be found on status of the parent resource for the pod).

Thanks @JaydipGabani . PTAL re-check

Keep the policy applicable to pods done.

[JaydipGabani]

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

[dongjiang1989]

@dongjiang1989 you will need to remove examples with kind: Deployment from artifacthub/ dir.

@JaydipGabani Thanks for your review. Done.

[JaydipGabani]

LGTM

[JaydipGabani]

@maxsmythe @ritazh @sozercan PTAL.

[ritazh]

where is is_exempt used? might be good to also add an exemptImage example to the allowed test case

[dongjiang1989]

Got it. Thanks.

[ritazh]

since this policy validates specifically for emptydir volume size limit, the name, description should be updated to reflect this.

[dongjiang1989]

@ritazh change name to k8semptydirvolumesizelimit?

[ritazh]

Thanks for the PR!