[dmt] restrict UpdateMode: Auto

pkg/linters/templates/README.md

@@ -35,12 +35,13 @@ Validates that every pod controller has a VPA targeting it, and that the VPA's c
 
 1. Every Deployment, DaemonSet, and StatefulSet has a corresponding VPA
 2. VPA `targetRef` correctly references the controller (kind, name, namespace)
-3. VPA has `resourcePolicy.containerPolicies` for all containers (except when `updateMode: "Off"`)
-4. Each container policy specifies:
+3. VPA `updateMode` cannot be "Auto"
+4. VPA has `resourcePolicy.containerPolicies` for all containers (except when `updateMode: "Off"`)
+5. Each container policy specifies:
    - `minAllowed.cpu` and `minAllowed.memory`
    - `maxAllowed.cpu` and `maxAllowed.memory`
-5. Min values are less than max values
-6. Container names in VPA match container names in the controller
+6. Min values are less than max values
+7. Container names in VPA match container names in the controller
 
 **Why it matters:**
 
@@ -109,7 +110,7 @@ spec:
     kind: Deployment
     name: my-app
   updatePolicy:
-    updateMode: Auto
+    updateMode: Recreate
   resourcePolicy:
     containerPolicies:
       - containerName: app  # ❌ Missing sidecar container
@@ -141,7 +142,7 @@ spec:
     kind: Deployment
     name: my-app
   updatePolicy:
-    updateMode: Auto
+    updateMode: Recreate
   resourcePolicy:
     containerPolicies:
       - containerName: app
@@ -158,6 +159,37 @@ spec:
 Error: MinAllowed.cpu for container app should be less than maxAllowed.cpu
 ```
 
+❌ **Incorrect** - VPA with updateMode Auto:
+
+```yaml
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: my-app
+  namespace: d8-my-module
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: my-app
+  updatePolicy:
+    updateMode: Auto  # ❌ updateMode cannot be "Auto"
+  resourcePolicy:
+    containerPolicies:
+      - containerName: app
+        minAllowed:
+          cpu: 10m
+          memory: 50Mi
+        maxAllowed:
+          cpu: 100m
+          memory: 200Mi
+```
+
+**Error:**
+```
+Error: VPA updateMode cannot be 'Auto'
+```
+
 ✅ **Correct** - Deployment with proper VPA:
 
 ```yaml
@@ -197,7 +229,7 @@ spec:
     kind: Deployment
     name: my-app
   updatePolicy:
-    updateMode: Auto
+    updateMode: Recreate
   resourcePolicy:
     containerPolicies:
       - containerName: app
@@ -238,7 +270,7 @@ spec:
     kind: Deployment
     name: web-app
   updatePolicy:
-    updateMode: Auto
+    updateMode: Recreate
   resourcePolicy:
     containerPolicies:
       - containerName: nginx
@@ -1685,7 +1717,7 @@ Error: No VPA is found for object
        kind: Deployment
        name: my-app
      updatePolicy:
-       updateMode: Auto
+       updateMode: Recreate
      resourcePolicy:
        containerPolicies:
          - containerName: "*"

pkg/linters/templates/rules/vpa.go

@@ -145,6 +145,10 @@ func parseVPAResourcePolicyContainers(vpaObject storage.StoreObject, errorList *
 	}
 
 	updateMode := *v.Spec.UpdatePolicy.UpdateMode
+	if updateMode == UpdateModeAuto {
+		errorListObj.Errorf("VPA updateMode cannot be 'Auto'")
+		return updateMode, containers, false
+	}
 	if updateMode == UpdateModeOff {
 		return updateMode, containers, true
 	}