Back to Policies

Check PodDisruptionBudget minAvailable

When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget it may prevent voluntary disruptions including Node drains which may impact routine maintenance tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match.

View on GitHub

Policy Definition 

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: pdb-minavailable-check
  annotations:
    policies.kyverno.io/title: Check PodDisruptionBudget minAvailable
    policies.kyverno.io/category: Other
    kyverno.io/kyverno-version: 1.9.0
    kyverno.io/kubernetes-version: "1.24"
    policies.kyverno.io/subject: PodDisruptionBudget, Deployment, StatefulSet
    policies.kyverno.io/description: When a Pod controller which can run multiple replicas is subject to an active PodDisruptionBudget, if the replicas field has a value equal to the minAvailable value of the PodDisruptionBudget it may prevent voluntary disruptions including Node drains which may impact routine maintenance tasks and disrupt operations. This policy checks incoming Deployments and StatefulSets which have a matching PodDisruptionBudget to ensure these two values do not match.
spec:
  validationFailureAction: Audit
  background: false
  rules:
    - name: pdb-minavailable
      match:
        any:
          - resources:
              kinds:
                - Deployment
                - StatefulSet
      preconditions:
        all:
          - key: "{{request.operation || 'BACKGROUND'}}"
            operator: AnyIn
            value:
              - CREATE
              - UPDATE
          - key: "{{ request.object.spec.replicas || `1` }}"
            operator: GreaterThan
            value: 0
      context:
        - name: minavailable
          apiCall:
            urlPath: /apis/policy/v1/namespaces/{{request.namespace}}/poddisruptionbudgets
            jmesPath: items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | [0] | spec.minAvailable || `0`
      validate:
        message: The matching PodDisruptionBudget for this resource has its minAvailable value equal to the replica count which is not permitted.
        deny:
          conditions:
            any:
              - key: "{{ request.object.spec.replicas }}"
                operator: Equals
                value: "{{ minavailable }}"

Related Policies

ValidateMedium

Prevent Use of Default Project

This policy prevents the use of the default project in an Application.

Application
ValidateMedium

Prevent Updates to Project

This policy prevents updates to the project field after an Application is created.

Application
ValidateMedium

Ensure ApplicationSet Name Matches Project

This policy ensures that the name of the ApplicationSet is the same value provided in the project.

ApplicationSet