All Policies

Require PodDisruptionBudget

PodDisruptionBudget resources are useful to ensuring minimum availability is maintained at all times. This policy checks all incoming Deployments to ensure they have a matching, preexisting PodDisruptionBudget.

Policy Definition

/other/require_pdb.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: require-pdb
 5  annotations:
 6    policies.kyverno.io/title: Require PodDisruptionBudget
 7    policies.kyverno.io/category: Sample
 8    policies.kyverno.io/minversion: 1.3.6
 9    policies.kyverno.io/subject: Deployment, PodDisruptionBudget
10    policies.kyverno.io/description: >-
11      PodDisruptionBudget resources are useful to ensuring minimum availability
12      is maintained at all times. This policy checks all incoming Deployments
13      to ensure they have a matching, preexisting PodDisruptionBudget.      
14spec:
15  validationFailureAction: audit
16  background: false
17  rules:
18  - name: require-pdb
19    match:
20      resources:
21        kinds:
22        - Deployment
23    preconditions:
24      any:
25      - key: "{{request.operation}}"
26        operator: Equals
27        value: CREATE
28    context:
29    - name: pdb_count
30      apiCall:
31        urlPath: "/apis/policy/v1beta1/namespaces/{{request.namespace}}/poddisruptionbudgets"
32        jmesPath: "items[?label_match(spec.selector.matchLabels, `{{request.object.spec.template.metadata.labels}}`)] | length(@)"
33    validate:
34      message: "There is no corresponding PodDisruptionBudget found for this Deployment."
35      deny:
36        conditions:
37          any:
38          - key: "{{pdb_count}}"
39            operator: LessThan
40            value: 1
Create policy issue