How to restrict replicas in a kubernetes namespace?

Question

On our dev Kubernetes cluster, we want to enforce all the applications to have only one replica. I understand we can achieve this during deployment time using either the kubectl scale --replicas=1 ... command or specifying replica:1 in the deployment.yml. But even with this configuration, nothing stops our developers to increase the number of replicas as they wish. We want to enforce configuration on the cluster side. Even if a user requests more than 1 replica, it should revert back to 1. Does anyone know how to achieve this? We looked at having a resource quota for pod counts, but that doesn't work in our scenario since it doesn't allow us to have multiple applications deployed in the namespace.

Answer 1

You should make use of Admission Controller to restrict the pod replicas to 1.

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized.

It contains two special controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. These execute the mutating and validating (respectively) admission control webhooks which are configured in the API.

The admission control process proceeds in two phases. In the first phase, mutating admission controllers are run. In the second phase, validating admission controllers are run. Note again that some of the controllers are both.

If any of the controllers in either phase reject the request, the entire request is rejected immediately and an error is returned to the end-user.