All Policies
Prevent Duplicate VerticalPodAutoscalers
VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. It requires defining a specific target resource by kind and name. There are no built-in validation checks by the VPA controller to prevent the creation of multiple VPAs which target the same resource. This policy has two rules, the first of which ensures that the only targetRef kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second prevents the creation of duplicate VPAs by validating that any new VPA targets a unique resource.
Policy Definition
/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: prevent-duplicate-vpa
5 annotations:
6 policies.kyverno.io/title: Prevent Duplicate VerticalPodAutoscalers
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.11.4
10 kyverno.io/kubernetes-version: "1.27"
11 policies.kyverno.io/subject: VerticalPodAutoscaler
12 policies.kyverno.io/description: >-
13 VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
14 It requires defining a specific target resource by kind and name. There are no built-in
15 validation checks by the VPA controller to prevent the creation of multiple VPAs which target
16 the same resource. This policy has two rules, the first of which ensures that the only targetRef
17 kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
18 prevents the creation of duplicate VPAs by validating that any
19 new VPA targets a unique resource.
20spec:
21 validationFailureAction: Audit
22 background: false
23 rules:
24 - name: verify-kind-name-duplicates
25 match:
26 any:
27 - resources:
28 kinds:
29 - VerticalPodAutoscaler
30 operations:
31 - CREATE
32 validate:
33 message: >-
34 The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.
35 pattern:
36 spec:
37 targetRef:
38 kind: Deployment | StatefulSet | ReplicaSet | DaemonSet
39 - name: check-targetref-duplicates
40 match:
41 any:
42 - resources:
43 kinds:
44 - VerticalPodAutoscaler
45 operations:
46 - CREATE
47 preconditions:
48 all:
49 - key:
50 - Deployment
51 - StatefulSet
52 - ReplicaSet
53 - DaemonSet
54 operator: AnyIn
55 value: "{{ request.object.spec.targetRef.kind }}"
56 context:
57 - name: targets
58 apiCall:
59 urlPath: "/apis/autoscaling.k8s.io/v1/namespaces/{{ request.namespace }}/verticalpodautoscalers"
60 jmesPath: "items[?spec.targetRef.kind=='{{ request.object.spec.targetRef.kind }}'].spec.targetRef.name"
61 validate:
62 message: >-
63 The target {{ request.object.spec.targetRef.kind }} named
64 {{ request.object.spec.targetRef.name }} already has an existing
65 VPA configured for it. Duplicate VPAs are not allowed.
66 deny:
67 conditions:
68 all:
69 - key: "{{ request.object.spec.targetRef.name }}"
70 operator: AnyIn
71 value: "{{ targets }}"