poddisruptionbudget ConstraintTemplate is not working with .spec.minAvailable == .spec.replicas to block pdb

[agoel0912]

We are trying to in place the Pod Disruption Budget ConstraintTemplate, following this doc:
https://open-policy-agent.github.io/gatekeeper-library/website/validation/poddisruptionbudget/
But PDB rule is not blocked with the constraint template above when we set .spec.minAvailable == .spec.replicas.

This is my sample pdb template:

`apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: pdb-gatekeeper-dex-eks-sample-test
namespace: eks-sample-app
labels:
app: pdb-gatekeeper-dex-eks-sample-test
owner: akhil
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/part-of: gatekeeper
environment: dev-01
app.kubernetes.io/instance: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/version: v1.0
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/name: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/instance: pdb-gatekeeper-dex-eks-sample-test

`

`apiVersion: apps/v1
kind: Deployment
metadata:
name: pdb-gatekeeper-dex-eks-sample-test
namespace: eks-sample-app
labels:
owner: akhil
app.kubernetes.io/component: dex-server
app.kubernetes.io/name: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/part-of: gatekeeper
environment: dev-01
app.kubernetes.io/instance: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/version: v1.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/instance: pdb-gatekeeper-dex-eks-sample-test
template:
metadata:
labels:
app.kubernetes.io/name: pdb-gatekeeper-dex-eks-sample-test
app.kubernetes.io/instance: pdb-gatekeeper-dex-eks-sample-test
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
containers:
- name: nginx
image: public.ecr.aws/nginx/nginx:1.23
ports:
- name: http
containerPort: 80
imagePullPolicy: IfNotPresent
nodeSelector:
kubernetes.io/os: linux

`
Let me know what I am missing, to have this template to block pdb for below match condition?:

2. Deployment of PodDisruptionBudgets with .spec.minAvailable == .spec.replicas of the resource with replica subresource This will prevent PodDisruptionBudgets from blocking voluntary disruptions such as node draining.

[JaydipGabani]

@agoel0912 This policy requires on cluster PDBs to be synced. Here is how you can sync on cluster PDBs https://open-policy-agent.github.io/gatekeeper/website/docs/sync#replicating-data.

Additionally, this policy blocks Deployment and not PDB when a PDB for deployment exists where .spec.minAvailable == .spec.replicas is true. May be the description is misleading here, I can see how "Deployment of PDB" can be interpreted as "creating pdb" - do you want to open up a PR to fix it?

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.