website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon kyverno

fix: invert deny condition logic in pdb policy

Open yashisrani opened this issue 4 months ago • 0 comments

Related issue #1662

Proposed Changes

This PR fixes a bug in the deployment-replicas-higher-than-pdb policy where the deny condition logic was inverted, causing it to work opposite of its intended purpose.

  • The policy's goal is to ensure a Deployment's replicas are greater than a PDB's minAvailable. However, the original rule was set to deny if minAvailable >= replicas. This is the inverse of the desired logic and resulted in:
  • Allowing bad configurations (e.g., replicas: 3, minAvailable: 3)
  • potentially blocking good configurations.

This PR corrects the logic by:

  1. Flipping the JMESPath expressions in the deny condition:
    • key: is now {{ element.spec.replicas }} (Deployment replica count)
    • value: is now {{ request.object.spec.minAvailable }} (PDB minAvailable)
  2. Changing the operator from GreaterThanOrEquals to LessThanOrEquals

Checklist

  • [x] I have read the contributing guidelines.
  • [x] I have inspected the website preview for accuracy.
  • [x] I have signed off my issue.

yashisrani avatar Sep 09 '25 16:09 yashisrani