Skip to content

Commit

Permalink
Add policy Ensure HPA for Deployments (#1080)
Browse files Browse the repository at this point in the history
* added policy to check HPA

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>

* deleted .chainsaw.yaml

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>

* modified changes in policies

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>

* modified  subject in check-hpa-exists.yaml

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>

* modified subject in artifacthub-pkg.yml

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>

---------

Signed-off-by: anuddeeph1 <anudeep.nalla@nirmata.com>
Co-authored-by: Chip Zoller <chipzoller@gmail.com>
  • Loading branch information
anuddeeph1 and chipzoller authored Aug 6, 2024
1 parent 530fc9d commit 3dd9aa6
Show file tree
Hide file tree
Showing 7 changed files with 171 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-hpa-exists
status:
ready: true
32 changes: 32 additions & 0 deletions other/check-hpa-exists/.chainsaw-test/chainsaw-test.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
apiVersion: chainsaw.kyverno.io/v1alpha1
kind: Test
metadata:
name: check-hpa-exists
spec:
steps:
- name: step-01
try:
- apply:
file: ../check-hpa-exists.yaml
- patch:
resource:
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-hpa-exists
spec:
validationFailureAction: Enforce
- assert:
file: chainsaw-step-01-assert-1.yaml
- name: step-02
try:
- apply:
file: hpa.yaml
- apply:
file: deployment-with-hpa-good.yaml
- apply:
expect:
- check:
($error != null): true
file: deployment-without-hpa-bad.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-uses-hpa
labels:
app: httpd-app
spec:
replicas: 1
selector:
matchLabels:
app: httpd-app
template:
metadata:
labels:
app: httpd-app
spec:
containers:
- name: httpd-container
image: httpd:latest
ports:
- containerPort: 80
resources:
requests:
cpu: "10m"
memory: "12Mi"
limits:
cpu: "25m"
memory: "25Mi"
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: deployment-without-hpa
labels:
app: app-without-hpa
spec:
replicas: 1
selector:
matchLabels:
app: app-without-hpa
template:
metadata:
labels:
app: app-without-hpa
spec:
containers:
- name: nginx-container
image: nginx:latest
ports:
- containerPort: 80
resources:
requests:
cpu: "10m"
memory: "12Mi"
limits:
cpu: "25m"
memory: "25Mi"
11 changes: 11 additions & 0 deletions other/check-hpa-exists/.chainsaw-test/hpa.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
apiVersion: autoscaling/v1
kind: HorizontalPodAutoscaler
metadata:
name: httpd-deployment
spec:
maxReplicas: 3
minReplicas: 1
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: deployment-uses-hpa
21 changes: 21 additions & 0 deletions other/check-hpa-exists/artifacthub-pkg.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: check-hpa-exists
version: 1.0.0
displayName: Ensure HPA for Deployments
createdAt: "2024-07-19T13:02:58Z"
description: >-
This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently.
install: |-
```shell
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/check-hpa-exists/check-hpa-exists.yaml
```
keywords:
- kyverno
- Other
readme: |
This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace. The policy checks for the presence of an HPA that targets the resource and denies the creation or update of the resource if no such HPA exists. This policy helps enforce scaling practices and ensures that resources are managed efficiently.
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
annotations:
kyverno/category: "Other"
kyverno/kubernetesVersion: "1.28"
kyverno/subject: "Deployment,ReplicaSet,StatefulSet,DaemonSet"
digest: 4b4c29dcaa05ad8967b2d1707c882aca05e622be135dff2e5c0c2decce3047c8
44 changes: 44 additions & 0 deletions other/check-hpa-exists/check-hpa-exists.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-hpa-exists
annotations:
policies.kyverno.io/title: Ensure HPA for Deployments
policies.kyverno.io/category: Other
policies.kyverno.io/severity: medium
kyverno.io/kyverno-version: 1.11.0
policies.kyverno.io/minversion: 1.9.0
kyverno.io/kubernetes-version: "1.28"
policies.kyverno.io/subject: Deployment,ReplicaSet,StatefulSet,DaemonSet
policies.kyverno.io/description: >-
This policy ensures that Deployments, ReplicaSets, StatefulSets, and DaemonSets are only allowed
if they have a corresponding Horizontal Pod Autoscaler (HPA) configured in the same namespace.
The policy checks for the presence of an HPA that targets the resource and denies the creation or update
of the resource if no such HPA exists. This policy helps enforce scaling practices
and ensures that resources are managed efficiently.
spec:
validationFailureAction: Audit
background: true
rules:
- name: validate-hpa
match:
any:
- resources:
kinds:
- Deployment
- ReplicaSet
- StatefulSet
- DaemonSet
context:
- name: hpas
apiCall:
urlPath: "/apis/autoscaling/v1/namespaces/{{ request.namespace }}/horizontalpodautoscalers"
jmesPath: "items[].spec.scaleTargetRef.name"
validate:
message: "Deployment is not allowed without a corresponding HPA."
deny:
conditions:
all:
- key: "{{ request.object.metadata.name }}"
operator: AnyNotIn
value: "{{ hpas }}"

0 comments on commit 3dd9aa6

Please sign in to comment.