Uploaded image for project: 'OpenShift Service Mesh'
  1. OpenShift Service Mesh
  2. OSSM-9392

Service Mesh 3 creates a podDisruptionBudget object that prevents nodes from upgrading

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • OSSM 3.1.1
    • OSSM 3.0.0
    • Istio, Sail Operator
    • None

      Service Mesh 3 introduces a podDisruptionBudget for the istiod pods, and this prevents the node where istiod is running from restarting during an upgrade.

      This would make sense if there were several istiod pods, however the default configuration only deploys one istiod pod, and the podDisruptionBudget has a minAvailable value of 1.

      To bypass this problem, the Istiod object configuraion can be modified to have

      .spec.values.global.defaultPodDisruptionBudget.enabled set to false.  But that is a workaround instead of a solution.

       

      The default configuration should not create the podDisruptionBudget object the number of istiod pod replicas is just 1, or the default configuration should disable defaultPodDisruptionBudget.

       

      ❯ oc -n istio-system get -o yaml Istio default
apiVersion: sailoperator.io/v1
kind: Istio
metadata:
  creationTimestamp: "2025-03-18T09:42:18Z"
  generation: 2
  name: default
  resourceVersion: "946021"
  uid: 3a0cf78c-9e37-4716-8e8f-44e189ec7a1c
spec:
  namespace: istio-system
  updateStrategy:
    inactiveRevisionDeletionGracePeriodSeconds: 30
    type: InPlace
  values:
    meshConfig:
      accessLogFile: /dev/stdout
  version: v1.24.3
status:
  activeRevisionName: default
  conditions:
  - lastTransitionTime: "2025-03-18T09:42:23Z"
    status: "True"
    type: Reconciled
  - lastTransitionTime: "2025-03-18T09:42:28Z"
    status: "True"
    type: Ready
  observedGeneration: 2
  revisions:
    inUse: 1
    ready: 1
    total: 1
  state: Healthy

❯ oc -n istio-system get pods
NAME                      READY   STATUS    RESTARTS   AGE
istiod-785fb556fd-rx98c   1/1     Running   0          90m

❯ oc -n istio-system get -o yaml pdb istiod
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  annotations:
    meta.helm.sh/release-name: default-istiod
    meta.helm.sh/release-namespace: istio-system
  creationTimestamp: "2025-03-18T09:58:03Z"
  generation: 1
  labels:
    app: istiod
    app.kubernetes.io/instance: default-istiod
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: istiod
    app.kubernetes.io/part-of: istio
    app.kubernetes.io/version: 1.24.3
    helm.sh/chart: istiod-1.24.3
    install.operator.istio.io/owning-resource: unknown
    istio: pilot
    istio.io/rev: default
    operator.istio.io/component: Pilot
    release: default-istiod
  name: istiod
  namespace: istio-system
  ownerReferences:
  - apiVersion: sailoperator.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: IstioRevision
    name: default
    uid: 818d9f5f-69a8-48af-b086-ddf12a217061
  resourceVersion: "946043"
  uid: f38429fe-62f9-47c5-97f3-ff733b3f51d3
spec:
  minAvailable: 1
  selector:
    matchLabels:
      app: istiod
      istio: pilot
status:
  conditions:
  - lastTransitionTime: "2025-03-18T09:58:03Z"
    message: ""
    observedGeneration: 1
    reason: InsufficientPods
    status: "False"
    type: DisruptionAllowed
  currentHealthy: 1
  desiredHealthy: 1
  disruptionsAllowed: 0
  expectedPods: 1
  observedGeneration: 1

       

      The PDB template used by the operator is https://github.com/istio-ecosystem/sail-operator/blob/main/resources/v1.24.3/charts/istiod/templates/poddisruptionbudget.yaml#L19

       

      Upstream issue: https://github.com/istio/istio/issues/12602

              fbrychta@redhat.com Filip Brychta
              rhn-support-asolanas Alexis Solanas
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: