Spread Pods Across Nodes & Zones

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: topologyspreadconstraints-policy
 5  annotations:
 6    policies.kyverno.io/title: Spread Pods Across Nodes & Zones
 7    kyverno.io/kubernetes-version: "1.22-1.23"
 8    kyverno.io/kyverno-version: 1.8.0
 9    policies.kyverno.io/category: Sample
10    policies.kyverno.io/description: >-
11      Deployments to a Kubernetes cluster with multiple availability zones often need to
12      distribute those replicas to align with those zones to ensure site-level failures
13      do not impact availability. This policy ensures topologySpreadConstraints are defined, 
14      to spread pods over nodes and zones. Deployments or Statefulsets with leass than 3 
15      replicas are skipped.
16    policies.kyverno.io/minversion: 1.8.0
17    policies.kyverno.io/severity: medium
18    policies.kyverno.io/subject: Deployment, StatefulSet
19    
20spec:
21  background: true
22  failurePolicy: Ignore
23  validationFailureAction: Audit
24  rules:
25    - name: spread-pods
26      match:
27        any:
28          - resources:
29              kinds:
30                - Deployment
31                - StatefulSet
32      preconditions:
33        all:
34          - key: "{{ request.object.spec.replicas }}"
35            operator: GreaterThanOrEquals
36            value: 3
37      validate:
38        message: "topologySpreadConstraint for kubernetes.io/hostname & topology.kubernetes.io/zone are required"
39        deny:
40          conditions:
41            any:
42              - key: "{{request.object.spec.template.spec.topologySpreadConstraints[?topologyKey=='kubernetes.io/hostname' || topologyKey=='topology.kubernetes.io/zone'] || `[]` | length(@) }}"
43                operator: NotEquals
44                value: 2