All Policies

Ensure Deployment Replicas Higher Than PodDisruptionBudget

PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. Introducing a PDB where there are already matching Pod controllers may pose a problem if the author is unaware of the existing replica count. This policy ensures that the minAvailable value is not greater not equal to the replica count of any matching existing Deployment. If other Pod controllers should also be included in this check, additional rules may be added to the policy which match those controllers.

Policy Definition

/other/deployment-replicas-higher-than-pdb/deployment-replicas-higher-than-pdb.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: deployment-replicas-higher-than-pdb
 5  annotations:
 6    policies.kyverno.io/title: Ensure Deployment Replicas Higher Than PodDisruptionBudget
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: PodDisruptionBudget, Deployment
 9    kyverno.io/kyverno-version: 1.11.4
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/description: >-
12      PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times.
13      Introducing a PDB where there are already matching Pod controllers may pose a problem if the author
14      is unaware of the existing replica count. This policy ensures that the minAvailable value is not
15      greater not equal to the replica count of any matching existing Deployment. If other Pod controllers
16      should also be included in this check, additional rules may be added to the policy which match those
17      controllers.
18spec:
19  validationFailureAction: Audit
20  background: true
21  rules:
22  - name: deployment-replicas-greater-minAvailable
23    match:
24      any:
25      - resources:
26          kinds:
27          - PodDisruptionBudget
28          operations:
29          - CREATE
30          - UPDATE
31    context:
32    - name: deploymentreplicas
33      apiCall:
34        jmesPath: items[?label_match(`{{ request.object.spec.selector.matchLabels }}`, spec.template.metadata.labels)] || `[]`
35        urlPath: /apis/apps/v1/namespaces/{{request.namespace}}/deployments 
36    preconditions:
37      all:
38      - key: '{{ regex_match(''^[0-9]+$'', ''{{ request.object.spec.minAvailable || ''''}}'') }}'
39        operator: Equals
40        value: true
41      - key: '{{ length(deploymentreplicas) }}'
42        operator: GreaterThan
43        value: 0
44    validate:
45      message: >-
46        PodDisruption budget minAvailable ({{ request.object.spec.minAvailable }}) cannot be
47        greater than or equal to the replica count of any matching existing Deployment.
48        There are {{ length(deploymentreplicas) }} Deployments which match this labelSelector
49        having {{ deploymentreplicas[*].spec.replicas }} replicas.
50      foreach:
51        - list: deploymentreplicas
52          deny:
53            conditions:
54              all:
55              - key: "{{ request.object.spec.minAvailable }}"
56                operator: GreaterThanOrEquals
57                value: "{{ element.spec.replicas }}"
Create policy issue