All Policies

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Policy Definition

/best-practices/add-safe-to-evict/add-safe-to-evict.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: add-safe-to-evict
 5  annotations:
 6    policies.kyverno.io/title: Add Safe To Evict
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/subject: Pod,Annotation
 9    policies.kyverno.io/minversion: 1.6.0
10    policies.kyverno.io/description: >-
11      The Kubernetes cluster autoscaler does not evict pods that 
12      use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation 
13      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.       
14spec: 
15  rules: 
16  - name: annotate-empty-dir
17    match:
18      any:
19      - resources:
20          kinds:
21          - Pod
22    mutate:
23      patchStrategicMerge:
24        metadata:
25          annotations:
26            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
27        spec:          
28          volumes: 
29          - <(emptyDir): {}
30  - name: annotate-host-path
31    match:
32      any:
33      - resources:
34          kinds:
35          - Pod
36    mutate:
37      patchStrategicMerge:
38        metadata:
39          annotations:
40            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
41        spec:          
42          volumes: 
43          - hostPath:
44              <(path): "*"
Create policy issue