Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

Policy Definition

/castai/add-castai-removal-disabled/add-castai-removal-disabled.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-castai-removal-disabled
 5  annotations:
 6    policies.kyverno.io/title: Add CAST AI Removal Disabled
 7    policies.kyverno.io/category: CAST AI
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: "Job, CronJob"
10    kyverno.io/kyverno-version: "1.9"
11    kyverno.io/kubernetes-version: "1.25"
12    policies.kyverno.io/description: >- 
13      CAST AI will not downscale a node that includes a pod with the 
14      autoscaling.cast.ai/removal-disabled="true" label on it, this protects
15      sensitive workloads from being evicted and can be attributed to any pod to
16      protect against unwanted downscaling. This policy will mutate jobs and 
17      cronjobs to add the removal-disabled label to protect against eviction. 
18spec:
19  rules:
20  - name: do-not-evict-jobs
21    match:
22      any:
23      - resources:
24          kinds:
25          - Job
26    mutate:
27      patchStrategicMerge:
28        spec:
29          template:
30            metadata:
31              labels:
32                autoscaling.cast.ai/removal-disabled: "true"
33  - name: do-not-evict-cronjobs
34    match:
35      any:
36      - resources:
37          kinds:
38          - CronJob
39    mutate:
40      patchStrategicMerge:
41        spec:
42          jobTemplate:
43            spec:
44              template:
45                metadata:
46                  labels:
47                    autoscaling.cast.ai/removal-disabled: "true"

Create policy issue