add karpenter do-not-disrupt policy for v1

[anushkaaaaaaaa]

Related issue

Fixes #1191

Proposed Changes

Add a new Karpenter policy add-karpenter-donot-disrupt for Karpenter v1.0+.

Starting with Karpenter v1.0, the karpenter.sh/do-not-evict annotation has been replaced by karpenter.sh/do-not-disrupt. This policy mutates Jobs and CronJobs so that Pods spawned by them will contain the karpenter.sh/do-not-disrupt: true annotation, preventing Karpenter from disrupting nodes running these workloads.

Reference: https://karpenter.sh/v1.0/upgrading/v1-migration/

Checklist

• I have read and followed the contributing guidelines
• I have signed my commit with DCO
• Tests have been added/updated

[Copilot]

Pull request overview

Adds a new Kyverno policy to support Karpenter v1.x by applying the karpenter.sh/do-not-disrupt: true annotation to Pods created from Jobs and CronJobs, preventing Karpenter from disrupting nodes running those workloads.

Changes:

• Introduces add-karpenter-donot-disrupt ClusterPolicy to mutate Job and CronJob pod templates with the new annotation.
• Adds Artifact Hub package metadata for the new policy.
• Adds Kyverno CLI tests and Chainsaw integration tests (resources + expected patched outputs).

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
karpenter/add-karpenter-donot-disrupt/artifacthub-pkg.yml	Adds Artifact Hub package metadata for the new policy.
karpenter/add-karpenter-donot-disrupt/add-karpenter-donot-disrupt.yaml	New ClusterPolicy mutating Jobs/CronJobs to add karpenter.sh/do-not-disrupt.
karpenter/add-karpenter-donot-disrupt/.kyverno-test/resource.yaml	Kyverno CLI test input resources (Job + CronJob).
karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched01.yaml	Expected Kyverno CLI patched Job output.
karpenter/add-karpenter-donot-disrupt/.kyverno-test/patched02.yaml	Expected Kyverno CLI patched CronJob output.
karpenter/add-karpenter-donot-disrupt/.kyverno-test/kyverno-test.yaml	Kyverno CLI test harness configuration.
karpenter/add-karpenter-donot-disrupt/.chainsaw-test/chainsaw-test.yaml	Chainsaw test steps applying policy/resources and asserting outputs.
karpenter/add-karpenter-donot-disrupt/.chainsaw-test/policy-ready.yaml	Expected “policy ready” assertion manifest for Chainsaw.
karpenter/add-karpenter-donot-disrupt/.chainsaw-test/resource-others.yaml	Additional Chainsaw test inputs to validate overwriting existing annotation values.
karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched03.yaml	Expected Chainsaw patched Job output (with extra annotations preserved).
karpenter/add-karpenter-donot-disrupt/.chainsaw-test/patched04.yaml	Expected Chainsaw patched CronJob output (with extra annotations preserved).

Comments suppressed due to low confidence (1)

karpenter/add-karpenter-donot-disrupt/artifacthub-pkg.yml:23

• artifacthub-pkg.yml files in this repo include a digest field (for example, karpenter/add-karpenter-donot-evict/artifacthub-pkg.yml:23). This new package metadata is missing digest, which may break Artifact Hub packaging/validation. Please add the appropriate digest entry for this policy package, consistent with the other artifacthub-pkg.yml files.

annotations:
  kyverno/category: "Karpenter, EKS Best Practices"
  kyverno/kubernetesVersion: "1.23"
  kyverno/subject: "Pod"

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.