kyverno · chipzoller · Mar 11, 2024 · Mar 9, 2024 · Mar 9, 2024 · Mar 9, 2024
diff --git a/.chainsaw/crds/vpa.yaml b/.chainsaw/crds/vpa.yaml
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/bad.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/bad.yaml
@@ -0,0 +1,23 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: new-bad01
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: busybox
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: new-bad02
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: nginx
+  updatePolicy:
+    updateMode: Auto
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: prevent-duplicate-vpa
+spec:
+  steps:
+  - name: 01 - Create policy and Enforce
+    try:
+    - apply:
+        file: ../prevent-duplicate-vpa.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: prevent-duplicate-vpa
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: 02 - Create some unique VPAs
+    try:
+    - apply:
+        file: prereq.yaml
+  - name: 03 - Try to create duplicate VPAs
+    try:
+    - apply:
+        file: bad.yaml
+        expect:
+        - check:
+            ($error != null): true
+  - name: 04 - Create new unique VPAs
+    try:
+    - apply:
+        file: good.yaml
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/good.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/good.yaml
@@ -0,0 +1,35 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: new-good01
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: redis
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: new-good02
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: circleci
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: new-good03
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: DaemonSet
+    name: foobar
+  updatePolicy:
+    updateMode: Auto
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/policy-ready.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: prevent-duplicate-vpa
+status:
+  ready: true
diff --git a/other/prevent-duplicate-vpa/.chainsaw-test/prereq.yaml b/other/prevent-duplicate-vpa/.chainsaw-test/prereq.yaml
@@ -0,0 +1,23 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: exist01
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: busybox
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: exist02
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: nginx
+  updatePolicy:
+    updateMode: Auto
diff --git a/other/prevent-duplicate-vpa/artifacthub-pkg.yml b/other/prevent-duplicate-vpa/artifacthub-pkg.yml
@@ -0,0 +1,34 @@
+name: prevent-duplicate-vpa
+version: 1.0.0
+displayName: Prevent Duplicate VerticalPodAutoscalers
+createdAt: "2024-03-09T18:01:00.000Z"
+description: >-
+  VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
+  It requires defining a specific target resource by kind and name. There are no built-in
+  validation checks by the VPA controller to prevent the creation of multiple VPAs which target
+  the same resource. This policy has two rules, the first of which ensures that the only targetRef
+  kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
+  prevents the creation of duplicate VPAs by validating that any
+  new VPA targets a unique resource.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml
+  ```
+keywords:
+  - kyverno
+  - other
+readme: |
+  VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
+  It requires defining a specific target resource by kind and name. There are no built-in
+  validation checks by the VPA controller to prevent the creation of multiple VPAs which target
+  the same resource. This policy has two rules, the first of which ensures that the only targetRef
+  kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
+  prevents the creation of duplicate VPAs by validating that any
+  new VPA targets a unique resource.
+
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Other"
+  kyverno/kubernetesVersion: "1.27"
+  kyverno/subject: "VerticalPodAutoscaler"
+digest: 3248de8dad0cc893c92c10a8c2a1a809817a17ead98a8120c8fabdec57035134
diff --git a/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml b/other/prevent-duplicate-vpa/prevent-duplicate-vpa.yaml
@@ -0,0 +1,71 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: prevent-duplicate-vpa
+  annotations:
+    policies.kyverno.io/title: Prevent Duplicate VerticalPodAutoscalers
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    kyverno.io/kyverno-version: 1.11.4
+    kyverno.io/kubernetes-version: "1.27"
+    policies.kyverno.io/subject: VerticalPodAutoscaler
+    policies.kyverno.io/description: >-
+      VerticalPodAutoscaler (VPA) is useful to automatically adjust the resources assigned to Pods.
+      It requires defining a specific target resource by kind and name. There are no built-in
+      validation checks by the VPA controller to prevent the creation of multiple VPAs which target
+      the same resource. This policy has two rules, the first of which ensures that the only targetRef
+      kinds accepted are one of either Deployment, StatefulSet, ReplicaSet, or DaemonSet. The second
+      prevents the creation of duplicate VPAs by validating that any
+      new VPA targets a unique resource.
+spec:
+  validationFailureAction: Audit
+  background: false
+  rules:
+  - name: verify-kind-name-duplicates
+    match:
+      any:
+      - resources:
+          kinds:
+          - VerticalPodAutoscaler
+          operations:
+          - CREATE
+    validate:
+      message: >-
+        The target kind must be specified exactly as Deployment, StatefulSet, ReplicaSet, or DaemonSet.
+      pattern:
+        spec:
+          targetRef:
+            kind: Deployment | StatefulSet | ReplicaSet | DaemonSet
+  - name: check-targetref-duplicates
+    match:
+      any:
+      - resources:
+          kinds:
+          - VerticalPodAutoscaler
+          operations:
+          - CREATE
+    preconditions:
+      all:
+      - key:
+        - Deployment
+        - StatefulSet
+        - ReplicaSet
+        - DaemonSet
+        operator: AnyIn
+        value: "{{ request.object.spec.targetRef.kind }}"
+    context:
+    - name: targets
+      apiCall:
+        urlPath: "/apis/autoscaling.k8s.io/v1/namespaces/{{ request.namespace }}/verticalpodautoscalers"
+        jmesPath: "items[?spec.targetRef.kind=='{{ request.object.spec.targetRef.kind }}'].spec.targetRef.name"
+    validate:
+      message: >-
+        The target {{ request.object.spec.targetRef.kind }} named
+        {{ request.object.spec.targetRef.name }} already has an existing
+        VPA configured for it. Duplicate VPAs are not allowed.
+      deny:
+        conditions:
+          all:
+          - key: "{{ request.object.spec.targetRef.name }}"
+            operator: AnyIn
+            value: "{{ targets }}"
diff --git a/other/verify-vpa-target/.chainsaw-test/bad.yaml b/other/verify-vpa-target/.chainsaw-test/bad.yaml
@@ -0,0 +1,60 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: bad01
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Foo
+    name: foobar
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: bad02
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: deployment
+    name: foobar
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: bad03
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: nothere
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: bad04
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: DaemonSet
+    name: busybox
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: bad05
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: busybox
+  updatePolicy:
+    updateMode: Auto
+---
diff --git a/other/verify-vpa-target/.chainsaw-test/chainsaw-test.yaml b/other/verify-vpa-target/.chainsaw-test/chainsaw-test.yaml
@@ -0,0 +1,36 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: verify-vpa-target
+spec:
+  steps:
+  - name: 01 - Create policy and Enforce
+    try:
+    - apply:
+        file: ../verify-vpa-target.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: verify-vpa-target
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: policy-ready.yaml
+  - name: 02 - Create the prerequisite Pod controllers
+    try:
+    - apply:
+        file: prereq.yaml
+  - name: 03 - Try to create bad VPAs
+    try:
+    - apply:
+        file: bad.yaml
+        expect:
+        - check:
+            ($error != null): true
+  - name: 04 - Create good VPAs
+    try:
+    - apply:
+        file: good.yaml
diff --git a/other/verify-vpa-target/.chainsaw-test/good.yaml b/other/verify-vpa-target/.chainsaw-test/good.yaml
@@ -0,0 +1,36 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: good01
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: busybox
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: good02
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: DaemonSet
+    name: ds-busybox
+  updatePolicy:
+    updateMode: Auto
+---
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: good03
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: ss-busybox
+  updatePolicy:
+    updateMode: Auto
+---
diff --git a/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml b/other/verify-vpa-target/.chainsaw-test/policy-ready.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: verify-vpa-target
+status:
+  ready: true