Spread Pods Across Nodes & Zones in CEL expressions

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: topologyspreadconstraints-policy
 5  annotations:
 6    policies.kyverno.io/title: Spread Pods Across Nodes & Zones in CEL expressions
 7    kyverno.io/kubernetes-version: "1.26-1.27"
 8    kyverno.io/kyverno-version: 1.11.0
 9    policies.kyverno.io/category: Sample in CEL 
10    policies.kyverno.io/description: >-
11      Deployments to a Kubernetes cluster with multiple availability zones often need to
12      distribute those replicas to align with those zones to ensure site-level failures
13      do not impact availability. This policy ensures topologySpreadConstraints are defined, 
14      to spread pods over nodes and zones. Deployments or Statefulsets with less than 3 
15      replicas are skipped.
16    policies.kyverno.io/minversion: 1.11.0
17    policies.kyverno.io/severity: medium
18    policies.kyverno.io/subject: Deployment, StatefulSet
19spec:
20  background: true
21  failurePolicy: Ignore
22  validationFailureAction: Audit
23  rules:
24    - name: spread-pods
25      match:
26        any:
27          - resources:
28              kinds:
29                - Deployment
30                - StatefulSet
31              operations:
32              - CREATE
33              - UPDATE
34      celPreconditions:
35        - name: "replicas-must-be-3-or-more"
36          expression: "object.spec.replicas >= 3"
37      validate:
38        cel:
39          expressions:
40            - expression: >-
41                size(object.spec.template.spec.?topologySpreadConstraints.orValue([]).filter(t, t.topologyKey == 'kubernetes.io/hostname' || t.topologyKey == 'topology.kubernetes.io/zone')) == 2
42              message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required"