All Policies

Prevent Duplicate HorizontalPodAutoscalers

HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment or replication controller. It requires defining a specific target resource by kind and name. There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs which target the same resource. This policy has two rules, the first of which ensures that the only targetRef kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource.

Policy Definition

/other/prevent-duplicate-hpa/prevent-duplicate-hpa.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-duplicate-hpa
 5  annotations:
 6    policies.kyverno.io/title: Prevent Duplicate HorizontalPodAutoscalers
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.4
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/subject: HorizontalPodAutoscaler
12    policies.kyverno.io/description: >-
13      HorizontalPodAutoscaler (HPA) is useful to automatically adjust the number of pods in a deployment
14      or replication controller. It requires defining a specific target resource by kind and name.
15      There are no built-in validation checks by the HPA controller to prevent the creation of multiple HPAs
16      which target the same resource. This policy has two rules, the first of which ensures that the only targetRef
17      kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
18      prevents the creation of duplicate HPAs by validating that any new HPA targets a unique resource.
19spec:
20  validationFailureAction: Audit
21  background: false
22  rules:
23  - name: verify-kind-name-duplicates
24    match:
25      any:
26      - resources:
27          kinds:
28          - HorizontalPodAutoscaler
29          operations:
30          - CREATE
31    validate:
32      message: >-
33        The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.        
34      pattern:
35        spec:
36          scaleTargetRef:
37            kind: Deployment | StatefulSet | ReplicaSet | DaemonSet
38  - name: check-targetref-duplicates
39    match:
40      any:
41      - resources:
42          kinds:
43          - HorizontalPodAutoscaler
44          operations:
45          - CREATE
46    preconditions:
47      all:
48      - key:
49        - Deployment
50        - StatefulSet
51        - ReplicaSet
52        - DaemonSet
53        operator: AnyIn
54        value: "{{ request.object.spec.scaleTargetRef.kind }}"
55    context:
56    - name: targets
57      apiCall:
58        urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers"
59        jmesPath: "items[?spec.scaleTargetRef.kind=='{{ request.object.spec.scaleTargetRef.kind }}'].spec.scaleTargetRef.name"
60    validate:
61      message: >-
62        The target {{ request.object.spec.scaleTargetRef.kind }} named
63        {{ request.object.spec.scaleTargetRef.name }} already has an existing
64        HPA configured for it. Duplicate HPAs are not allowed.        
65      deny:
66        conditions:
67          all:
68          - key: "{{ request.object.spec.scaleTargetRef.name }}"
69            operator: AnyIn
70            value: "{{ targets }}"
Create policy issue