All Policies

Add safe-to-evict

The Kubernetes cluster autoscaler does not evict pods that use hostPath or emptyDir volumes. To allow eviction of these pods, the annotation cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to pods.

Policy Definition

/best-practices/add_safe_to_evict.yaml

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata: 
 4  name: add-safe-to-evict
 5  annotations:
 6    policies.kyverno.io/title: Add safe-to-evict 
 7    policies.kyverno.io/category: Best Practices
 8    policies.kyverno.io/subject: Pod
 9    policies.kyverno.io/description: >-
10      The Kubernetes cluster autoscaler does not evict pods that use hostPath 
11      or emptyDir volumes. To allow eviction of these pods, the annotation 
12      cluster-autoscaler.kubernetes.io/safe-to-evict=true must be added to pods.       
13spec: 
14  rules: 
15  - name: annotate-empty-dir
16    match: 
17      resources: 
18        kinds: 
19        - Pod
20    mutate: 
21      patchStrategicMerge:
22        metadata:
23          annotations:
24            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
25        spec:          
26          volumes: 
27          - (emptyDir): {}
28  - name: annotate-host-path
29    match: 
30      resources: 
31        kinds: 
32        - Pod
33    mutate: 
34      patchStrategicMerge:
35        metadata:
36          annotations:
37            +(cluster-autoscaler.kubernetes.io/safe-to-evict): "true"
38        spec:          
39          volumes: 
40          - (hostPath):
41              path: "*"
Create policy issue