All Policies

Check PodDisruptionBudget minAvailable

When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget it may prevent voluntary disruptions including Node drains which may impact routine maintenance tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match.

Policy Definition

/other/pdb-minavailable/pdb-minavailable.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: pdb-minavailable-check
 5  annotations:
 6    policies.kyverno.io/title: Check PodDisruptionBudget minAvailable
 7    policies.kyverno.io/category: Other
 8    kyverno.io/kyverno-version: 1.9.0
 9    kyverno.io/kubernetes-version: "1.24"
10    policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet
11    policies.kyverno.io/description: >-
12      When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget,
13      if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget
14      it may prevent voluntary disruptions including Node drains which may impact routine maintenance
15      tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have
16      a matching PodDisruptionBudget to ensure these two values do not match.      
17spec:
18  validationFailureAction: audit
19  background: false
20  rules:
21    - name: pdb-minavailable
22      match:
23        any:
24          - resources:
25              kinds:
26                - Deployment
27                - StatefulSet
28      preconditions:
29        all:
30        - key: "{{request.operation || 'BACKGROUND'}}"
31          operator: AnyIn
32          value:
33          - CREATE
34          - UPDATE
35        - key: "{{ request.object.spec.replicas || `1` }}"
36          operator: GreaterThan
37          value: 0
38      context:
39        - name: minavailable
40          apiCall:
41            urlPath: "/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets"
42            jmesPath: "items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | [0] | spec.minAvailable || `0`"
43      validate:
44        message: >-
45          The matching PodDisruptionBudget for this resource has its minAvailable value equal to the replica count
46          which is not permitted.          
47        deny:
48          conditions:
49            any:
50              - key: "{{ request.object.spec.replicas }}"
51                operator: Equals
52                value: "{{ minavailable }}"