All Policies

Prevent Duplicate VerticalPodAutoscalers

VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. It requires defining a specific target resource by kind and name. There are no built-in validation checks by the VPA controller to prevent the creation of multiple VPAs which target the same resource. This policy has two rules, the first of which ensures that the only targetRef kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second prevents the creation of duplicate VPAs by validating that any new VPA targets a unique resource.

Policy Definition

/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: prevent-duplicate-vpa
 5  annotations:
 6    policies.kyverno.io/title: Prevent Duplicate VerticalPodAutoscalers
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.4
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/subject: VerticalPodAutoscaler
12    policies.kyverno.io/description: >-
13      VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
14      It requires defining a specific target resource by kind and name. There are no built-in
15      validation checks by the VPA controller to prevent the creation of multiple VPAs which target
16      the same resource. This policy has two rules, the first of which ensures that the only targetRef
17      kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
18      prevents the creation of duplicate VPAs by validating that any
19      new VPA targets a unique resource.
20spec:
21  validationFailureAction: Audit
22  background: false
23  rules:
24  - name: verify-kind-name-duplicates
25    match:
26      any:
27      - resources:
28          kinds:
29          - VerticalPodAutoscaler
30          operations:
31          - CREATE
32    validate:
33      message: >-
34        The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.
35      pattern:
36        spec:
37          targetRef:
38            kind: Deployment | StatefulSet | ReplicaSet | DaemonSet
39  - name: check-targetref-duplicates
40    match:
41      any:
42      - resources:
43          kinds:
44          - VerticalPodAutoscaler
45          operations:
46          - CREATE
47    preconditions:
48      all:
49      - key:
50        - Deployment
51        - StatefulSet
52        - ReplicaSet
53        - DaemonSet
54        operator: AnyIn
55        value: "{{ request.object.spec.targetRef.kind }}"
56    context:
57    - name: targets
58      apiCall:
59        urlPath: "/apis/autoscaling.k8s.io/v1/namespaces/{{ request.namespace }}/verticalpodautoscalers"
60        jmesPath: "items[?spec.targetRef.kind=='{{ request.object.spec.targetRef.kind }}'].spec.targetRef.name"
61    validate:
62      message: >-
63        The target {{ request.object.spec.targetRef.kind }} named
64        {{ request.object.spec.targetRef.name }} already has an existing
65        VPA configured for it. Duplicate VPAs are not allowed.
66      deny:
67        conditions:
68          all:
69          - key: "{{ request.object.spec.targetRef.name }}"
70            operator: AnyIn
71            value: "{{ targets }}"