All Policies
Restrict Scale
Pod controllers such as Deployments which implement replicas and permit the scale action use a `/scale` subresource to control this behavior. In addition to checks for creations of such controllers that their replica is in a certain shape, the scale operation and subresource needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection of rules which can be used to limit the replica count both upon creation of a Deployment and when a scale operation is performed.
Policy Definition
/other/restrict-scale/restrict-scale.yaml
1apiVersion: kyverno.io/v2beta1
2kind: ClusterPolicy
3metadata:
4 name: restrict-scale
5 annotations:
6 policies.kyverno.io/title: Restrict Scale
7 policies.kyverno.io/category: Other
8 policies.kyverno.io/severity: medium
9 kyverno.io/kyverno-version: 1.9.0
10 policies.kyverno.io/minversion: 1.9.0
11 kyverno.io/kubernetes-version: "1.24"
12 policies.kyverno.io/subject: Deployment
13 policies.kyverno.io/description: >-
14 Pod controllers such as Deployments which implement replicas and permit the scale action
15 use a `/scale` subresource to control this behavior. In addition to checks for creations of
16 such controllers that their replica is in a certain shape, the scale operation and subresource
17 needs to be accounted for as well. This policy, operable beginning in Kyverno 1.9, is a collection
18 of rules which can be used to limit the replica count both upon creation of a Deployment and
19 when a scale operation is performed.
20spec:
21 validationFailureAction: audit
22 background: false
23 rules:
24 # This rule can be used to limit scale operations based upon Deployment labels assuming the given label
25 # is also used as a selector.
26 - name: scale-max-eight
27 match:
28 any:
29 - resources:
30 kinds:
31 - Deployment/scale
32 validate:
33 message: The replica count for this Deployment may not exceed 8.
34 pattern:
35 (status):
36 (selector): "*type=monitoring*"
37 spec:
38 replicas: <9
39 # This rule can be used for more advanced decision making, for example limiting scale based
40 # upon Deployment annotations which are not sent by the API server to admission controllers
41 # when a scale is performed.
42 - name: scale-max-eight-annotations
43 match:
44 any:
45 - resources:
46 kinds:
47 - Deployment/scale
48 context:
49 - name: parentdeploy
50 apiCall:
51 urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/deployments?fieldSelector=metadata.name={{request.name}}"
52 jmesPath: "items[0]"
53 - name: dept
54 variable:
55 jmesPath: parentdeploy.metadata.annotations."corp.org/dept"
56 default: empty
57 validate:
58 message: The replica count for this Deployment may not exceed 8.
59 deny:
60 conditions:
61 all:
62 - key: "{{dept}}"
63 operator: Equals
64 value: engineering
65 - key: "{{request.object.spec.replicas}}"
66 operator: GreaterThan
67 value: 8
68 # This rule, which is a simple check on Deployments for replicas (not scaling them) can be used
69 # to complement scale operations. This may be needed along with at least one of the prior two rules
70 # to fully limit the number of total replicas allowed. For example, this rule would limit creation of
71 # Deployments to no more than 4 replicas, without an additional rule for scaling it would not prevent
72 # scaling over 4. By combining this CREATE rule with one of the scale rules above, a cluster admin
73 # may effectively provide an allowed range of replicas good for both day1 and day2 operations.
74 - name: create-max-four
75 match:
76 any:
77 - resources:
78 kinds:
79 - Deployment
80 selector:
81 matchLabels:
82 type: monitoring
83 validate:
84 message: The replica count for this Deployment may not exceed 4.
85 pattern:
86 spec:
87 replicas: <5