All Policies

Require Replicas Allow Disruption

Existing PodDisruptionBudgets can apply to all future matching Pod controllers. If the minAvailable field is defined for such matching PDBs and the replica count of a new Deployment or StatefulSet is lower than that, then availability could be negatively impacted. This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all matching PodDisruptionBudgets which specify minAvailable as a number and not percentage.

Policy Definition

/other/require-replicas-allow-disruption/require-replicas-allow-disruption.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-replicas-allow-disruption
 5  annotations:
 6    policies.kyverno.io/title: Require Replicas Allow Disruption
 7    policies.kyverno.io/category: Other
 8    kyverno.io/kyverno-version: 1.11.4
 9    kyverno.io/kubernetes-version: "1.27"
10    policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet
11    policies.kyverno.io/description: >-
12      Existing PodDisruptionBudgets can apply to all future matching Pod controllers.
13      If the minAvailable field is defined for such matching PDBs and the replica count of a new
14      Deployment or StatefulSet is lower than that, then availability could be negatively impacted.
15      This policy specifies that Deployment/StatefulSet replicas exceed the minAvailable value of all
16      matching PodDisruptionBudgets which specify minAvailable as a number and not percentage.
17spec:
18  validationFailureAction: Audit
19  background: false
20  rules:
21  - name: replicas-check
22    match:
23      any:
24      - resources:
25          kinds:
26          - Deployment
27          - StatefulSet
28          operations:
29          - CREATE
30          - UPDATE
31    context:
32    - name: matchingpdbs
33      apiCall:
34        jmesPath: items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)]
35        urlPath: /apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets
36    preconditions:
37      all:
38      - key: "{{ request.object.spec.replicas }}"
39        operator: GreaterThan
40        value: 0
41      - key: "{{ length(matchingpdbs) }}"
42        operator: GreaterThan
43        value: 0
44    validate:
45      message: >-
46        Replica count ({{ request.object.spec.replicas }}) cannot be less than or equal to the minAvailable of any
47        matching PodDisruptionBudget. There are {{ length(matchingpdbs) }} PodDisruptionBudgets which match this labelSelector,
48        not all of which may define a minAvailable value as a number.
49      foreach:
50      - list: matchingpdbs
51        preconditions:
52          all:
53          - key: '{{ regex_match(''^[0-9]+$'', ''{{ element.spec.minAvailable || '''' }}'') }}'
54            operator: Equals
55            value: true
56        deny:
57          conditions:
58            all:
59            - key: "{{ request.object.spec.replicas }}"
60              operator: LessThanOrEquals
61              value: "{{ element.spec.minAvailable }}"
Create policy issue