Thank you paolosalvatori. You covered a huge scope of activities
I have implemented almost all of them. From my experience, not surprisengly, setting resource limits was the hardest, because it requried collaboration with developers.
Still in many cases developers are not interested in "ops" tasks.
AKS Addon Policy is a great helper, but it works on deployment stage, which is too late sometimes.
What I did - based on the same Open Policy Agent syntax (used in in Gatekeeper) - set CI checks (conftest tool: https://github.com/open-policy-agent/conftest) to fail a Azure Devops build, if there is no resources block in k8s manifests.
like
`deny[msg] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
not container.resources.limits.memory
msg = "Containers must provide limits for memory. More details https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
}
deny[msg] {
input.kind == "Deployment"
container := input.spec.template.spec.containers[_]
not container.resources.limits.cpu
msg = "Containers must provide limits for cpu. More details https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/"
}`