All Policies

Verify VerticalPodAutoscaler Target

VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods. It requires defining a specific target resource by kind and name. There are no built-in validation checks by the VPA controller to ensure that the target resource exists or that the target kind is specified correctly. This policy contains two rules, the first of which verifies that the kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos. The second rule verifies that the target resource exists before allowing the VPA to be created.

Policy Definition

/other/verify-vpa-target/verify-vpa-target.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: verify-vpa-target
 5  annotations:
 6    policies.kyverno.io/title: Verify VerticalPodAutoscaler Target
 7    policies.kyverno.io/category: Other
 8    policies.kyverno.io/severity: medium
 9    kyverno.io/kyverno-version: 1.11.4
10    kyverno.io/kubernetes-version: "1.27"
11    policies.kyverno.io/subject: VerticalPodAutoscaler
12    policies.kyverno.io/description: >-
13      VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
14      It requires defining a specific target resource by kind and name. There are no built-in
15      validation checks by the VPA controller to ensure that the target resource exists or that the target
16      kind is specified correctly. This policy contains two rules, the first of which verifies that the
17      kind is specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet, which helps avoid typos.
18      The second rule verifies that the target resource exists before allowing the VPA to be created.      
19spec:
20  validationFailureAction: Audit
21  background: false
22  rules:
23  - name: verify-kind-name
24    match:
25      any:
26      - resources:
27          kinds:
28          - VerticalPodAutoscaler
29          operations:
30          - CREATE
31    validate:
32      message: >-
33        The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.        
34      pattern:
35        spec:
36          targetRef:
37            kind: Deployment | StatefulSet | ReplicaSet | DaemonSet
38  - name: check-targetref
39    match:
40      any:
41      - resources:
42          kinds:
43          - VerticalPodAutoscaler
44          operations:
45          - CREATE
46    preconditions:
47      all:
48      - key:
49        - Deployment
50        - StatefulSet
51        - ReplicaSet
52        - DaemonSet
53        operator: AnyIn
54        value: "{{ request.object.spec.targetRef.kind }}"
55    context:
56    # Builds a mapping of the target kind to the plural form of the resource to be used in the API call.
57    - name: map
58      variable:
59        value:
60          Deployment: deployments
61          StatefulSet: statefulsets
62          ReplicaSet: replicasets
63          DaemonSet: daemonsets
64    - name: targetkind
65      variable:
66        jmesPath: request.object.spec.targetRef.kind
67    - name: targets
68      apiCall:
69        urlPath: "/apis/apps/v1/namespaces/{{ request.namespace }}/{{ map.{{targetkind}} }}"
70        jmesPath: "items[].metadata.name"
71    validate:
72      message: >-
73        The target {{ request.object.spec.targetRef.kind }} named
74        {{ request.object.spec.targetRef.name }} does not exist in the
75        {{ request.namespace }} namespace.        
76      deny:
77        conditions:
78          all:
79          - key: "{{ request.object.spec.targetRef.name }}"
80            operator: AnyNotIn
81            value: "{{ targets }}"
Create policy issue