SC-5 protects workloads against DoS attacks. The CaC rule that would implement SC-5 would check for:

• all routes outside the openshift- namespaces should use the rate-limiting annotations
• all workloads outside the openshift namespaces should use resource requests and limits
• maybe pods in workloads that are not exposed should limit bandwidth as well? Maybe an INFO-level rule? See the doc at https://docs.openshift.com/container-platform/4.7/nodes/pods/nodes-pods-configuring.html#nodes-pods-configuring-bandwidth_nodes-pods-configuring|http://example.com

Acceptance criteria:

• there is a rule that checks all namespaces that do not start with openshift or kube for the existence of rate-limiting annotations on all routes in those namespaces
• there is a rule that checks that either one clusterResourceQuota object exists of if there is a resourceQuota object per namespace for all namespaces but those that start with openshift-* or kube-*
• e2e tests exist for the rules above