Ensure HPA for Deployments

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: check-hpa-exists
 5  annotations:
 6    policies.kyverno.io/title: Ensure HPA for Deployments
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.0
10    policies.kyverno.io/minversion: 1.9.0
11    kyverno.io/kubernetes-version: "1.28"
12    policies.kyverno.io/subject: Deployment,ReplicaSet,StatefulSet,DaemonSet
13    policies.kyverno.io/description: >-
14      This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed
15      if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace.
16      The policy checks for the presence of an HPA that targets the resource and denies the creation or update
17      of the resource if no such HPA exists. This policy helps enforce scaling practices
18      and ensures that resources are managed efficiently.
19spec:
20  validationFailureAction: Audit
21  background: true
22  rules:
23    - name: validate-hpa
24      match:
25        any:
26        - resources:
27            kinds:
28            - Deployment
29            - ReplicaSet
30            - StatefulSet
31            - DaemonSet
32      context:
33        - name: hpas
34          apiCall:
35            urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers"
36            jmesPath: "items[].spec.scaleTargetRef.name"
37      validate:
38        message: "Deployment is not allowed without a corresponding HPA."
39        deny:
40          conditions:
41            all:
42              - key: "{{ request.object.metadata.name }}"
43                operator: AnyNotIn
44                value: "{{ hpas }}"