All Policies
Check PodDisruptionBudget minAvailable
When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget it may prevent voluntary disruptions including Node drains which may impact routine maintenance tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match.
Policy Definition
/other/pdb-minavailable/pdb-minavailable.yaml
1apiVersion: kyverno.io/v1
2kind: ClusterPolicy
3metadata:
4 name: pdb-minavailable-check
5 annotations:
6 policies.kyverno.io/title: Check PodDisruptionBudget minAvailable
7 policies.kyverno.io/category: Other
8 kyverno.io/kyverno-version: 1.9.0
9 kyverno.io/kubernetes-version: "1.24"
10 policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet
11 policies.kyverno.io/description: >-
12 When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget,
13 if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget
14 it may prevent voluntary disruptions including Node drains which may impact routine maintenance
15 tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have
16 a matching PodDisruptionBudget to ensure these two values do not match.
17spec:
18 validationFailureAction: audit
19 background: false
20 rules:
21 - name: pdb-minavailable
22 match:
23 any:
24 - resources:
25 kinds:
26 - Deployment
27 - StatefulSet
28 preconditions:
29 all:
30 - key: "{{request.operation || 'BACKGROUND'}}"
31 operator: AnyIn
32 value:
33 - CREATE
34 - UPDATE
35 - key: "{{ request.object.spec.replicas || `1` }}"
36 operator: GreaterThan
37 value: 0
38 context:
39 - name: minavailable
40 apiCall:
41 urlPath: "/apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets"
42 jmesPath: "items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | [0] | spec.minAvailable || `0`"
43 validate:
44 message: >-
45 The matching PodDisruptionBudget for this resource has its minAvailable value equal to the replica count
46 which is not permitted.
47 deny:
48 conditions:
49 any:
50 - key: "{{ request.object.spec.replicas }}"
51 operator: Equals
52 value: "{{ minavailable }}"