feat: add grant policies for notes and core resource quotas (#193)

zachsmith1 · web-flow · commit b5eb1a3628c8 · 2026-03-19T15:05:33.000-07:00
## Summary - Add GrantCreationPolicies for notes and core Kubernetes resources - Triggered on Project creation, allocates default quota amounts - Companion to datum-cloud/milo#523 which defines the registrations and claim policies in the milo repo ### Default quotas per project | Resource | apiGroup | Amount | |----------|----------|--------| | Note | `notes.miloapis.com` | 100 | | ClusterNote | `notes.miloapis.com` | 100 | | Secret | `core.miloapis.com` | 50 | | ConfigMap | `core.miloapis.com` | 50 | ## Test plan - [ ] Verify kustomize build succeeds - [ ] Deploy alongside milo registrations/claim policies and verify grant creation on project creation Ref: datum-cloud/enhancements#664 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/config/services/core.miloapis.com/kustomization.yaml b/config/services/core.miloapis.com/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+components:
+  - quota/
diff --git a/config/services/core.miloapis.com/quota/grant-policies/default-project-grant-policy.yaml b/config/services/core.miloapis.com/quota/grant-policies/default-project-grant-policy.yaml
@@ -0,0 +1,35 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: GrantCreationPolicy
+metadata:
+  name: default-core-quota-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: resourcemanager.miloapis.com/v1alpha1
+      kind: Project
+  target:
+    parentContext:
+      apiGroup: "resourcemanager.miloapis.com"
+      kind: "Project"
+      nameExpression: "trigger.metadata.name"
+    resourceGrantTemplate:
+      metadata:
+        name: "default-core-quota-{{ trigger.metadata.name }}"
+        namespace: milo-system
+        annotations:
+          kubernetes.io/description: "Core resource quota allocation for project"
+      spec:
+        consumerRef:
+          apiGroup: resourcemanager.miloapis.com
+          kind: Project
+          name: "{{ trigger.metadata.name }}"
+        allowances:
+          - resourceType: core.miloapis.com/secrets
+            buckets:
+              - amount: 50
+          - resourceType: core.miloapis.com/configmaps
+            buckets:
+              - amount: 50
diff --git a/config/services/core.miloapis.com/quota/grant-policies/kustomization.yaml b/config/services/core.miloapis.com/quota/grant-policies/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+resources:
+  - default-project-grant-policy.yaml
diff --git a/config/services/core.miloapis.com/quota/kustomization.yaml b/config/services/core.miloapis.com/quota/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+components:
+  - grant-policies/
diff --git a/config/services/kustomization.yaml b/config/services/kustomization.yaml
@@ -13,4 +13,6 @@ components:
   - iam.miloapis.com/
   - dns.networking.miloapis.com/
   - networking.datumapis.com/
+  - notes.miloapis.com/
+  - core.miloapis.com/
   - search.miloapis.com/
diff --git a/config/services/notes.miloapis.com/kustomization.yaml b/config/services/notes.miloapis.com/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+components:
+  - quota/
diff --git a/config/services/notes.miloapis.com/quota/grant-policies/default-project-grant-policy.yaml b/config/services/notes.miloapis.com/quota/grant-policies/default-project-grant-policy.yaml
@@ -0,0 +1,32 @@
+apiVersion: quota.miloapis.com/v1alpha1
+kind: GrantCreationPolicy
+metadata:
+  name: default-notes-quota-policy
+  labels:
+    app.kubernetes.io/name: datum
+    app.kubernetes.io/component: quota-system
+spec:
+  trigger:
+    resource:
+      apiVersion: resourcemanager.miloapis.com/v1alpha1
+      kind: Project
+  target:
+    parentContext:
+      apiGroup: "resourcemanager.miloapis.com"
+      kind: "Project"
+      nameExpression: "trigger.metadata.name"
+    resourceGrantTemplate:
+      metadata:
+        name: "default-notes-quota-{{ trigger.metadata.name }}"
+        namespace: milo-system
+        annotations:
+          kubernetes.io/description: "Notes quota allocation for project"
+      spec:
+        consumerRef:
+          apiGroup: resourcemanager.miloapis.com
+          kind: Project
+          name: "{{ trigger.metadata.name }}"
+        allowances:
+          - resourceType: notes.miloapis.com/notes
+            buckets:
+              - amount: 100
diff --git a/config/services/notes.miloapis.com/quota/grant-policies/kustomization.yaml b/config/services/notes.miloapis.com/quota/grant-policies/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+resources:
+  - default-project-grant-policy.yaml
diff --git a/config/services/notes.miloapis.com/quota/kustomization.yaml b/config/services/notes.miloapis.com/quota/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+sortOptions:
+  order: fifo
+
+components:
+  - grant-policies/
