[Bug] Scale deployment to zero policy not working as expected

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

AKS

Description

I have tried to implement this policy: https://kyverno.io/policies/other/scale-deployment-zero/scale-deployment-zero/

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: scale-deployment-zero
  annotations:
    policies.kyverno.io/title: Scale Deployment to Zero
spec:
  rules:
  - name: annotate-deployment-rule
    match:
      any:
      - resources:
          kinds:
          - v1/Pod.status
    preconditions:
      all:
      - key: "{{request.operation || 'BACKGROUND'}}"
        operator: Equals
        value: UPDATE
      - key: "{{ sum(request.object.status.containerStatuses[*].restartCount || [`0`]) }}"
        operator: GreaterThan
        value: 1
    context:
    - name: rsname
      variable:
        jmesPath: "request.object.metadata.ownerReferences[0].name"
        default: ''
    - name: deploymentname
      apiCall:
        urlPath: "/apis/apps/v1/namespaces/{{request.namespace}}/replicasets"
        jmesPath: "items[?metadata.name=='{{rsname}}'].metadata.ownerReferences[0].name | [0]"
    mutate:
      targets:
        - apiVersion: apps/v1
          kind: Deployment
          name: "{{deploymentname}}"
          namespace: "{{request.namespace}}"
      patchStrategicMerge:
        metadata:
          annotations:
            sre.corp.org/troubleshooting-needed: "true"
        spec:
          replicas: 0

It seems to work just fine when the restarting pods has 1 container. However, if the restarting pod has more than 1 container, it fails.

Steps to reproduce

  1. Implement the policy.
  2. Ensure that a pod has more than 1 container, and that it is restarting.

Expected behavior

The policy should scale down the deployments with restarting pods to 0, also when the pod has more than 1 container.

Screenshots

No response

Kyverno logs

ERR github.com/kyverno/kyverno/pkg/background/mutate/mutate.go:180 > error="failed to mutate existing resource, rule annotate-deployment-rule, response error: failed to evaluate preconditions: failed to substitute variables in condition key: failed to resolve sum(request.object.status.containerStatuses[*].restartCount || [0]) at path : JMESPath query failed: JMESPath function 'sum': invalid operand"

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.