All Policies

Scale Deployment to Zero

If a Deployment's Pods are seen crashing multiple times it usually indicates there is an issue that must be manually resolved. Removing the failing Pods and marking the Deployment is often a useful troubleshooting step. This policy watches existing Pods and if any are observed to have restarted more than once, indicating a potential crashloop, Kyverno scales its parent deployment to zero and writes an annotation signaling to an SRE team that troubleshooting is needed. It may be necessary to grant additional privileges to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.

Policy Definition

/other/scale_deployment_zero/scale_deployment_zero.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: scale-deployment-zero
 5  annotations:
 6    policies.kyverno.io/title: Scale Deployment to Zero
 7    policies.kyverno.io/category: other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      If a Deployment's Pods are seen crashing multiple times it usually indicates
15      there is an issue that must be manually resolved. Removing the failing Pods and
16      marking the Deployment is often a useful troubleshooting step. This policy watches
17      existing Pods and if any are observed to have restarted more than
18      once, indicating a potential crashloop, Kyverno scales its parent deployment to zero
19      and writes an annotation signaling to an SRE team that troubleshooting is needed.
20      It may be necessary to grant additional privileges to the Kyverno ServiceAccount,
21      via one of the existing ClusterRoleBindings or a new one, so it can modify Deployments.      
22spec:
23  rules:
24  - name: annotate-deployment-rule
25    match:
26      any:
27      - resources:
28          kinds:
29          - v1/Pod.status
30    preconditions:
31      all:
32      - key: "{{request.operation || 'BACKGROUND'}}"
33        operator: Equals
34        value: UPDATE
35      - key: "{{request.object.status.containerStatuses[0].restartCount}}"
36        operator: GreaterThan
37        value: 1
38    context:
39    - name: rsname
40      variable:
41        jmesPath: "request.object.metadata.ownerReferences[0].name"
42        default: ''
43    - name: deploymentname
44      apiCall:
45        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets"
46        jmesPath: "items[?metadata.name=='{{rsname}}'].metadata.ownerReferences[0].name | [0]"
47    mutate:
48      targets:
49        - apiVersion: apps/v1
50          kind: Deployment
51          name: "{{deploymentname}}"
52          namespace: "{{request.namespace}}"
53      patchStrategicMerge:
54        metadata:
55          annotations:
56            sre.corp.org/troubleshooting-needed: "true"
57        spec:
58          replicas: 0
Create policy issue