Rego Code to get pod count based on the label_key & label_value as "app":"nginx"

[hikkart]

Hello All,

Could anyone help me for the appropriate logic/code snippet on below scenario.

I need to get the existing pod count, based on the label_key & label_value in the cluster. So that I can limit the max pod count.

Example: if 3 pods with "app":"nginx" label are available in the cluster/namespace, i need to get the count as 3.

Do I need to use only data.inventory to get the existing pod count based on label or any other best option is available.
existing_pod_label_count := [label | label := data.inventory.namespace[_].v1.Pod[_].metadata.labels[label_key] == label_value]
Will Size of data.Inventory json object and traversing through that have any performance impact on the larger cluster with 60+ nodes.

Please suggest.

##sample constraint.yaml for limiting the pod count to 5.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyAll
metadata:
  name: deny-pods
spec:
  match:
     kinds:
      - apiGroups: [""]
        kinds: ["Pod"]
      - apiGroups: ["apps"]
        kinds: ["Deployment"]
  parameters:
    label_key: "app"
    label_value: "nginx"
    max_count: 5

Thanks in advance.

[anderseknert]

Hi @hikkart! And sorry for the late response. As far as I can see, that should be enough. Did you try it out and find it working?

As for performance, I'd guess you're right that iterating over all pods in all namespaces would come with a cost linear to that of the number of pods.. but for admission control I wouldn't worry too much about it - even if it takes half a second, other things in the deployment are likely going to take longer anyway. It would of course be good to "guard" the loop so that it's only invoked when an actual pod is deployed, and not any resource type.