Pod Disruption Budget
Five PodDisruptionBudget examples covering minAvailable, maxUnavailable, percentage-based scaling, and StatefulSet protection for databases.
Overview
This template provides five PodDisruptionBudget (PDB) configurations covering the most common availability protection patterns: minAvailable with absolute count, minAvailable with percentage for auto-scaling workloads, maxUnavailable for large deployments, maxUnavailable with percentage, and StatefulSet protection for databases.
Security threat addressed: Without PDBs, Kubernetes can evict all pods simultaneously during node drains, cluster upgrades, or autoscaler scale-downs, causing complete service outages. PDBs ensure minimum availability during voluntary disruptions.
When to use: Apply to every production workload that requires high availability. Critical services (APIs, databases, payment systems) should always have PDBs.
Threat Model
- Availability protection: PDBs prevent Kubernetes from evicting too many pods at once during maintenance operations.
- Graceful degradation: Services remain operational during node drains, OS patches, and cluster upgrades.
- StatefulSet safety: Database pods are evicted one at a time, preserving quorum and preventing data loss.
MITRE ATT&CK:
- T1498 — Network Denial of Service: PDBs protect against availability impact from voluntary disruptions, ensuring service continuity.
Real-world scenario: A cluster admin runs kubectl drain on a node during maintenance. Without a PDB, all three replicas of your API service are evicted simultaneously, causing a 2-minute outage. With a PDB (minAvailable: 2), only one pod is evicted at a time.
YAML Source
# EXAMPLE 1: minAvailable -- for critical services (3-replica deployment)
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: frontend-pdb
namespace: production
labels:
app.kubernetes.io/name: k8s-security
app.kubernetes.io/part-of: k8s-security-pro
app.kubernetes.io/managed-by: k8s-security-pro
spec:
minAvailable: 2
selector:
matchLabels:
app: frontend
unhealthyPodEvictionPolicy: AlwaysAllow
# ... truncated -- get all 5 PDB patterns (percentage, maxUnavailable, StatefulSet)
# at k8s-security.pro/pricingGet the complete template with percentage-based PDBs, maxUnavailable patterns, StatefulSet-specific PDBs for databases, and unhealthy pod eviction policies in the Enterprise tier.
Installation
kubectl:
kubectl apply -f 16_pod_disruption_budget.yamlHelm:
helm install k8s-security ./charts/k8s-security -f values-prod.yamlKustomize:
kubectl apply -k kustomize/overlays/prodVerification
# List all PDBs
kubectl get pdb -n production
# Check PDB status and disruptions allowed
kubectl describe pdb frontend-pdb -n production
# Verify PDB is protecting pods (should show ALLOWED DISRUPTIONS)
kubectl get pdb -n production -o wide
# Test with a drain (will respect PDB)
kubectl drain <node-name> --ignore-daemonsets --delete-emptydir-dataCIS Benchmark References
PodDisruptionBudgets are an availability best practice and are not covered by a specific CIS Benchmark control. They complement security controls by ensuring service continuity during maintenance operations.
MITRE ATT&CK References
- T1498 — Network Denial of Service: While PDBs do not prevent network-level DoS, they protect against availability loss from voluntary disruptions such as node drains and cluster upgrades.
Further Reading
- Kubernetes CIS Benchmark and SOC2 Compliance: A Practical Guide — Learn how PodDisruptionBudgets map to SOC2 availability criteria (A1.2) and disaster recovery requirements.
Get Full Access to This Template
This template is included in the Enterprise tier and above.
View Pricing Plans