Back to Policies

Add CAST AI Removal Disabled

CAST AI will not downscale a node that includes a pod with the autoscaling.cast.ai/removal-disabled="true" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and cronjobs to add the removal-disabled label to protect against eviction.

View on GitHub

Policy Definition 

apiVersion: policies.kyverno.io/v1alpha1
kind: MutatingPolicy
metadata:
  name: add-castai-removal-disabled
  annotations:
    policies.kyverno.io/title: Add CAST AI Removal Disabled
    policies.kyverno.io/category: CAST AI
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Job, CronJob
    kyverno.io/kyverno-version: 1.15.0
    kyverno.io/kubernetes-version: "1.25"
    policies.kyverno.io/minversion: 1.15.0
    policies.kyverno.io/description: "CAST AI will not downscale a node that includes a pod with the  autoscaling.cast.ai/removal-disabled=\"true\" label on it, this protects sensitive workloads from being evicted and can be attributed to any pod to protect against unwanted downscaling. This policy will mutate jobs and  cronjobs to add the removal-disabled label to protect against eviction. "
spec:
  matchConstraints:
    resourceRules:
      - apiGroups:
          - batch
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - jobs
          - cronjobs
  mutations:
    - patchType: ApplyConfiguration
      applyConfiguration:
        expression: |
          object.kind == "Job" ?
          Object{
            spec: Object.spec{
              template: Object.spec.template{
                metadata: Object.spec.template.metadata{
                  labels: {
                    "autoscaling.cast.ai/removal-disabled": "true"
                  }
                }
              }
            }
          } :
          object.kind == "CronJob" ?
          Object{
            spec: Object.spec{
              jobTemplate: Object.spec.jobTemplate{
                spec: Object.spec.jobTemplate.spec{
                  template: Object.spec.jobTemplate.spec.template{
                    metadata: Object.spec.jobTemplate.spec.template.metadata{
                      labels: {
                        "autoscaling.cast.ai/removal-disabled": "true"
                      }
                    }
                  }
                }
              }
            }
          } : Object{}
  reinvocationPolicy: Never

Related Policies

MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Add Safe To Evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to the pods.

Pod
MutateMedium

Schedule-based Resource Quotas

Automatically adjusts resource quotas based on time schedules to optimize cloud costs. During non-business hours, the policy reduces resource quotas to prevent overprovisioning while ensuring essential services remain operational.

ResourceQuota